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                        WEDNESDAY, JUNE 4, 2008

                  House of Representatives,
                            Subcommittee on Health,
                          Committee on Energy and Commerce,
                                                    Washington, DC.
    The subcommittee met, pursuant to call, at 10:07 a.m., in 
room 2123, Rayburn House Office Building, Hon. Frank Pallone, 
Jr. (chairman of the subcommittee) presiding.
    Present: Representatives Pallone, Waxman, Gordon, Towns, 
Eshoo, Green, DeGette, Capps, Baldwin, Schakowsky, Solis, 
Matheson, Dingell (ex officio), Deal, Pitts, Rogers, Myrick, 
Murphy, Burgess, Blackburn, and Barton (ex officio).
    Also Present: Representative Gonzalez.
    Staff Present: Bridgett Taylor, Purvee Kempf, Yvette 
Fontenot, Jason Powell, Bobby Clark, Hasan Sarsour, Lauren 
Bloomberg, Alex Haurek, Ryan Long, Melissa Bartlett, and Chad 
Grant.

OPENING STATEMENT OF HON. FRANK PALLONE, JR., A REPRESENTATIVE 
            IN CONGRESS FROM THE STATE OF NEW JERSEY

    Mr. Pallone. The meeting of the subcommittee is called to 
order. And today we are having a hearing on the Health 
Information Technology and Privacy discussion draft. And I have 
now recognized myself for an opening statement.
    Our Nation's health care system is arguably one of the most 
inefficient and costly systems in the industrialized world. We 
spend approximately $2.7 trillion, or $7,600 per person, 
annually on health care, approximately 16 percent of our 
Nation's gross domestic product. But what has this money bought 
us? Studies show that in spite of all our spending, we do not 
fair any better on important health measures than countries 
that spend a lot less. Skyrocketing health care costs, 
inconsistent quality, and huge disparities in access are just a 
few of the problems that we face.
    Health care experts around the country agree that health 
information technology could improve our system by making it 
safer and less costly. In this modern age, I find it 
unbelievable that our health care system is so out of date. 
Thanks to modern technology, a person can manage their finances 
from their home PC, or order a pizza with a click of the 
button, and yet most patients and providers rely on antiquated 
systems that are counterproductive to the delivery of health 
care. Patients are prompted to recall their entire medical 
history everytime they see a medical provider. A lapse in 
memory could lead to duplication of services or worse, medical 
errors. And pharmacists struggle to make sense of handwritten 
prescriptions. Emergency rooms are forced to treat unconscious 
patients without knowing their complete medical history and no 
way to ascertain that information. And all of these problems 
could be solved, I believe, with HIT.
    In addition, we would achieve enormous savings from the 
widespread adoption of HIT. The potential savings is estimated 
to be anywhere from $81 billion to $170 billion annually. Such 
savings would occur by improving coordination of care, patient 
safety, as well as disease management and prevention efforts. 
At a time when the cost of health insurance and medical 
services continue to skyrocket, we could use those savings to 
help improve access for some of the 47 million uninsured 
Americans.
    While some providers have already begun to make the 
investment in HIT, far more have not, essentially because of 
serious financial and operational barriers. I don't know if he 
has arrived yet, but one of the freeholders in New Jersey, Jim 
Carroll of Bergen County, was supposed to be here today. And I 
use him as an example of someone who is trying to take the 
initiative to modernize the medical facilities in his area of 
my State. And he has shown me firsthand the challenges that 
these communities face, but that is why the Federal Government 
should take a more proactive role at facilitating the adoption 
of a nationwide interoperable HIT infrastructure.
    The draft legislation we are reviewing today seems to 
accomplish that goal. The discussion draft before us would 
codify the Office of the National Coordinator for Health 
Information Technology, which would have key responsibilities, 
such as designing a strategic plan for the development and 
implementation of a nationwide HIT infrastructure. The draft 
also would establish two Federal advisory committees that would 
advise the National Coordinator by making recommendations on 
policies and technical standards.
    In order to promote the electronic exchange and use of 
information, the discussion draft also directs Federal agencies 
to use HIT that meet adopted standards, which would help move 
the private sector toward the adoption of HIT as well.
    And the draft also includes financial incentives for 
providers to adopt and use HIT through three new grant 
programs. The first program will offer competitive grants for 
providers to purchase HIT with a preference for small health 
care providers, providers in medically underserved areas, and 
others that have difficulty in acquiring HIT on their own.
    The second program is for States and tribes that will help 
leverage private sector dollars in order to provide low 
interest loans to help providers purchase HIT.
    And finally, the third program provides support for local 
or regional organizations to develop HIT plans.
    This draft also takes an important step towards protecting 
patient privacy. The draft would close a number of loopholes 
under the existing regulatory framework that governs patient 
privacy and security. It would also provide patients with more 
options to control their health information and require 
patients be notified when their protected health information 
has been breached. And I know that the issue of patient privacy 
is very important to members on both sides of aisle, including 
myself. While I think the provisions included in the discussion 
draft would do a lot to improve the protection of patient 
privacy, I recognize there may be various views on this, and I 
am looking forward to hearing some of those views today and 
working with my colleagues as we move forward with this draft.
    I said at the beginning of my statement we need to move 
forward with modernizing our Nation's health care system, and 
investing in HIT today will help make our system more efficient 
tomorrow, thereby lowering costs and saving more lives.
    I just want to thank some of my colleagues who have worked 
so diligently on the development of this draft, particularly 
Chairman Dingell, who this has been a top priority, as well as 
Ranking Members Barton and Deal. I am pleased that we have been 
able to work with our Republican colleagues and make this a 
bipartisan effort.
    I also want to recognize the efforts of Congressman Waxman, 
Congressmen Markey, Towns, Gordon, Eshoo, Capps, and Gonzalez, 
all of whom have been instrumental in the development of this 
draft. Again, it is a draft and we are continuing to seek input 
on a bipartisan basis relative to the interoperability, the 
privacy sections, as well as the funding mechanisms.
    So I now recognize Mr. Deal for 5 minutes.

  OPENING STATEMENT OF HON. NATHAN DEAL, A REPRESENTATIVE IN 
               CONGRESS FROM THE STATE OF GEORGIA

    Mr. Deal. Thank you, Mr. Chairman. I want to thank you for 
holding this hearing today in order to evaluate legislation 
which will promote the adoption of information technology in 
the health care system. In my mind, the expansion of health HIT 
is one of the most fundamental reforms that we should make to 
improve health care delivery. The creation of an electronic 
system to track medical records will sharply reduce the number 
of medical errors and help eliminate inefficiencies and waste 
in the system.
    Health HIT systems hold the potential to significantly 
improve health care by eliminating illegible handwritten 
prescriptions, providing immediate access to laboratory test 
results, and making a patient's full medical history available 
to their treating physician no matter where that patient seeks 
treatment.
    I appreciate the Chairman's willingness to produce a 
bipartisan proposal on this issue, and I look forward to 
continuing to work with him and with our subcommittee chairman 
as we move forward in developing a bill for introduction. It is 
my hope that the legislation will strike an important balance 
so that the congressional action does not impede or limit 
reforms which are already transforming this marketplace.
    Innovators, health care providers, health care payment 
systems, and patients should drive the changes. We are already 
seeing many hospitals, physicians, pharmacies, and payors 
moving forward in the implementation of this technology. 
However, I believe we can speed the adoption of these 
technologies through targeted congressional action.
    I have been pleased by Secretary Leavitt's leadership in 
promoting many discussions and demonstrations on health HIT, 
which will be helpful in its future. I believe the proposal we 
are considering today will help ensure this momentum will not 
be lost when we have a change of administration next year.
    There remain some issues which I hope we can continue to 
explore through this hearing. Our proposal makes some changes 
to existing medical privacy laws to ensure that patients' 
personal medical records remain private as health care moves 
into the electronic realm. I look forward to our witnesses' 
feedback on this issue as we seek to balance these protections 
while maintaining a workable framework so that patients can 
reap the benefits of better health care through the use of 
technology.
    The draft does not contain any stark or anti-kickback 
relief allowing providers to receive health information 
hardware and software without triggering the penalties of that 
statute. This issue was a major component of our work on health 
IT last Congress, and I hope our witnesses can speak to the 
appropriateness of its inclusion in what we do this year.
    In conclusion, I want to thank the witnesses on both panels 
for their participation in this hearing today and hopefully we 
can all move forward to produce a meaningful piece of 
legislation. I yield back my time.
    Mr. Pallone. Thank you, Mr. Deal.
    Mr. Waxman.

OPENING STATEMENT OF HON. HENRY A. WAXMAN, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Mr. Waxman. Mr. Chairman, I want to thank you for holding 
this hearing to examine the complex issues surrounding the 
promotion of electronic health information technology. I think 
the draft that we have been provided is an improvement, and I 
thank you for the hard work you and your staff put into it. The 
use of electronic health information has many potential 
benefits, including promoting swift and effective communication 
between multiple health care providers that may be coordinating 
the treatment of a patient; however, as we continue to develop 
and use health information technology, we must ensure that 
sufficient privacy and security protections are in place.
    Our health care system will not be effective if privacy 
fears deter Americans from seeking appropriate treatment. 
Unfortunately, survey after survey demonstrates that American 
consumers lack confidence that their privacy and security of 
their personal health information will be protected. Moving 
health records into electronic form is only likely to increase 
this anxiety.
    We have also had continuing reports of privacy and security 
breaches. This has served as a warning about the need for 
attention to this issue.
    According to Privacy Rights Clearinghouse, over 200 million 
records containing sensitive personal information of U.S. 
residents have been compromised because of security breaches 
since 2005. The Administration's lax approach to enforcing 
existing medical privacy requirements has raised additional 
concerns. A recent L.A. Times article reported that the 
Administration has not imposed a single civil fine under the 
Federal Medical Privacy Rule, despite over 30,000 complaints of 
violations since the rule has been in effect. And I am pleased 
that the discussion draft contains a number of important 
privacy protection and security protections, including 
provisions to require breach notification, to encourage 
entities that maintain health information to share the least 
amount of data necessary with other entities, and to extend 
privacy requirements to certain entities that handle health 
information but are not currently covered by the Federal health 
privacy rule.
    I believe this draft represents an improvement. I think it 
is important we consider whether other steps should be taken to 
ensure appropriate protections for consumers, such as 
additional tools to promote improved enforcement of Federal 
health privacy law, and in this regard I am very interested in 
learning what the views are of our distinguished panelists 
regarding these and other provisions.
    I also want to underscore that the process of developing 
standards for health information technology systems should 
ensure public input from all the diverse stakeholders and 
government should play the leadership role in this area. 
Today's hearing is an important step towards that end.
    Mr. Pallone. Thank you, Mr. Waxman. The gentleman from 
Pennsylvania, Mr. Pitts.
    Mr. Pitts. Thank you, Mr. Chairman, for scheduling this 
very important hearing on a very important issue. I look 
forward to hearing our distinguished witnesses, and I will 
reserve my time.
    Mr. Pallone. Mr. Dingell, the Chairman of the Full 
Committee, recognized for an opening statement.

OPENING STATEMENT OF HON. JOHN D. DINGELL, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF MICHIGAN

    Mr. Dingell. Mr. Chairman, thank you for your courtesy. I 
commend you for this hearing. It is a very important matter. 
The hearing today will focus on a legislative discussion draft, 
and I want to emphasize that so that our comments may be 
properly focused. And we hope that this draft will lead us to a 
discussion and to the enactment of legislation that will 
improve the quality and efficacy of health care in this country 
through the adoption of a good new Health Information 
Technology, HIT.
    We have before us an opportunity to increase our Nation's 
ability to provide better quality of care, significantly reduce 
health care costs, and to strengthen the privacy protections of 
the American people in a new electronic world.
    The care provided by doctors, nurses, pharmacists, and 
other health care entities is based on information about the 
individual patient, such as medical history, previous 
treatments, past surgeries, drug allergies, and much more. If 
that patient's information is inaccurate or incomplete, it can 
lead to devastating consequences such as serious medical errors 
or the failure to detect dangerous conditions early on. 
Furthermore, giving health care providers access to a patient's 
up-to-date medical history could reduce costs by avoiding 
unnecessary or duplicative diagnostic testing or treatment.
    The discussion draft legislation that we will focus on 
today represents a strong bipartisan agreement of the need to 
facilitate the creation of health information systems that are 
electronically maintained and exchanged. It codifies the Office 
of the National Health Coordinator for Health Information 
Technology in order to develop and implement a nationwide HIT 
infrastructure, which includes use of electronic health records 
for all individuals as well as electronic exchange of health 
information amongst those entities that are essential for the 
delivery of health care.
    An additional but fundamental component of this legislation 
will strengthen the law to ensure that the privacy and security 
of an individual's health information are well protected, a 
matter of major concern. The discussion draft fills in the gaps 
in the current law to ensure that an individual's electronic 
personal health information is only used for legitimate and 
appropriate purposes.
    I want to thank the witnesses who will be testifying today 
on this legislation. I want to thank my colleagues on both 
sides of the aisle for encouraging the establishment of a more 
effective health care system in this country.
    I am particularly proud of the work done by our good friend 
and colleague, the Ranking Minority Member, Mr. Barton, by 
Subcommittee Chairman Pallone and Ranking Member Deal in 
developing this new draft bill. I also want to acknowledge the 
important contributions and the leadership of Ms. Eshoo, Mr. 
Rogers, Mr. Gordon, Mr. Waxman, Mr. Gonzalez, Mr. Markey, Mrs. 
Capps, and Mr. Towns. All of them have made enormous 
contributions to moving these matters forward, and I want to 
thank them and congratulate them. I look forward to working in 
a bipartisan manner on this legislation so that we may 
introduce and then move forward with this important legislation 
to address major concerns of the country with regard to better, 
cheaper, and more efficiently delivered health care.
    Thank you, Mr. Chairman.
    Mr. Pallone. Thank you, Chairman Dingell. The gentleman 
woman from Tennessee, Mrs. Blackburn, recognized for an opening 
statement.

OPENING STATEMENT OF HON. MARSHA BLACKBURN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF TENNESSEE

    Mrs. Blackburn. I want to thank you, Mr. Chairman, for the 
hearing to discuss the draft legislation. And I want to welcome 
everyone who is here to talk with us and work with us through 
this process. I do believe that it is critical for Congress to 
focus on transforming our health care system because there are 
three things that we really can do with this: we can improve 
quality; we can reduce costs; and we can facilitate better 
access for all Americans through the implementation of health 
IT. Congress will connect patients, doctors, hospitals, and the 
entire extended health care community to provide realtime data 
sharing between all sectors of the health system.
    In my district in Tennessee, Hurricane Katrina was a 
stunning reminder of the vulnerability of our health care 
system as individuals from the Gulf Coast came to the Memphis 
area to seek medical care. Quite simply, the storm exposed the 
weaknesses of the Nation's health IT infrastructure.
    We can transform the American health system from an 
outdated model based on paper records stored in filing 
cabinets--how outdated does that sound--to a comprehensive and 
secure electronic system that is accessible by patients, 
physicians, health care providers in any circumstances and on 
an as-needed basis. How wonderful that would be.
    The benefits of health HIT are just not theoretical. From 
our Department of Health and Human Services, they are reporting 
that medical records can reduce health spending as much as 30 
percent annually. There are 98,000 deaths each year caused by 
medical errors. This could be reduced if health care providers 
had access to complete information and treatment histories for 
their patients.
    Tennessee is actually a leader in this arena. The State of 
Tennessee implemented the E-health initiative, which provides 
all of our routine care patients with an electronic record. 
That is our Medicaid delivery system in Tennessee. The State 
estimates for every dollar spent on the new technology they are 
saving between $3 and $4 in duplicate tests and medical errors.
    In addition, Tennessee is one of nine States participating 
in a project to coordinate multiple local health information 
connections through the CMS Office of the National Coordinator 
for Health IT. We also have Vanderbilt University Center, which 
has implemented a highly functional, interconnected 
computerized health IT system. They have lowered their costs 
dramatically by streamlining their records keeping and 
improving patient care.
    We are looking forward to hearing from each of you and 
looking forward to what we can save in dollars, but also how we 
can improve the quality of life for all of our citizens and how 
we can improve the delivery of health care for all Americans. 
And I yield back.
    Mr. Pallone. Thank you. Next is the gentlewoman from 
California, Ms. Eshoo, who has been a leader on this issue for 
a long time. I recognize her for an opening statement.

 OPENING STATEMENT OF HON. ANNA G. ESHOO, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Ms. Eshoo. Good morning, Mr. Chairman. And thank you. 
Welcome to all of the witnesses. Thank you for being here. 
Especially Ms. Dare, who hails from Texas but whose company, 
Cisco Systems, is part of the region that I have the privilege 
to represent: Silicon Valley. It is one of the leading, 
obviously, technology companies in the world.
    In February of this year, I had the privilege of hosting a 
health care forum at Stanford University with President John 
Hennessy; Dr. Zerhouni, who heads up the NIH; Speaker Pelosi; 
and other top experts from the medical and health care 
community. Our discussion really centered in and around a vast 
reshaping of our health care system. It didn't deal with the 
issues that we take up here incrementally, and that is the gaps 
in health insurance for children, those that are uninsured. It 
is not what our discussion was about. And front and center 
there was unanimity amongst all of the participants that 
fundamental changes have to occur in our health care system to 
incorporate and to leverage the benefits of technology.
    It was said by, I believe, other members of the Committee 
that we live in the Information Age, but health care, one of 
the most information intensive segments of our economy, remains 
mired mostly in a paper-and-pen past. We can buy airline 
tickets from a home computer, we can pay our taxes online, we 
can even buy a car with a few mouse clicks, but our health care 
system remains dangerously disconnected. Patients' medical 
histories are largely disaggregated amongst the various 
physicians who treat them, and they are often inaccessible to a 
new doctor or even to the patients themselves.
    So we have a lot of work to do. We recognize it. It is how 
we are going to do it. And these inefficiencies cost. They cost 
the patient, they cost the system, they cost the taxpayer. It 
really doesn't speak very well about a country that leads in 
technology that we would have one of the major economic sectors 
of our economy that is left mired in this pen-and-paper past.
    To accelerate the adoption of HIT and create market 
conditions incentives, which it is going to take that. It is 
not just going to take the legislation. The legislation has to 
bring in the stakeholders because they are going to have to be 
making investments and we have to encourage the investments 
that have to be made across the country.
    Representative Mike Rogers, a member of this committee, and 
myself introduced H.R. 3800 last October. It is called the 
Promotion of Health Information Technology Act. It is 
bipartisan legislation, obviously, and it is endorsed by a very 
diverse group of organizations, the AARP, the Business 
Roundtable, SCIU, the Information Technology Industry Council, 
the American Electronics Association, and the Health Care 
Information and Management Systems Society.
    Our bill builds on the excellent work that Senators Kennedy 
and Enzi have done, which has also garnered broad support in 
the Senate and which is likely to secure Senate passage in the 
coming weeks. My hope was that the committee would take that 
bill up because it is bicameral, bipartisan, it has industry, 
employer, patient and professional support. But we have a draft 
discussion before us today and Chairman Dingell chose to go the 
direction that we are going, and I look forward to working with 
everyone because I have a real commitment to this.
    The discussion draft closely resembles H.R. 3800 in almost 
all respects and includes the important principles that it sets 
forth. I think that any meaningful HIT legislation must 
establish a process for the rapid formulation and 
implementation of standards to facilitate the exchange of 
interoperable health data and create incentives to ensure that 
the technologies are actually adopted.
    Like H.R. 3800, the draft bill established a streamlined 
process for the adoption of HIT and requires the government to 
abide by the standards it sets. If we do the legislation well, 
there will be a lot of power to it and that power of HIT stands 
to transform the American health care system. I think that that 
is really clear. But without the aggressive action by the 
Congress to promote and adopt it, we won't see the benefits of 
these innovative technologies.
    We have to keep in mind that the Federal Government is----
    Mr. Pallone. The gentlewoman is 2 minutes over.
    Ms. Eshoo. I will conclude.
    The most significant player in health care in the Nation. 
So the standards that we set are the standards that will be the 
model for the rest of the country.
    So, Mr. Chairman, I look forward to this, and I thank the 
witnesses again.
    Mr. Pallone. Thank you. The gentleman from Texas, Mr. 
Burgess.

OPENING STATEMENT OF HON. MICHAEL C. BURGESS, A REPRESENTATIVE 
              IN CONGRESS FROM THE STATE OF TEXAS

    Mr. Burgess. Thank you, Mr. Chairman. I also want to thank 
you for holding the hearing today. It looks like we have got a 
great panel ahead of us. I think it is important that we always 
hear from our medical community, but I am anxious to also hear 
from the technology companies and from the patients to help 
inform our Federal information technology policy.
    So this bill that we have in front of us, I have been 
studying it. I hope I can hear from the panel today how this 
will be helpful. I am not entirely convinced myself, but I do 
know that any time this committee sits down and works on 
legislation pertaining to the practice of medicine, I always 
get a little nervous because unintended consequences--remember, 
unintended consequences used to take a generation to come back 
and bite us. Now they seem to be doing it in about 4 months. So 
unintended consequences are something that I really want to 
concentrate on in this legislative hearing.
    I was greatly concerned that this draft would have required 
any new electronic transaction to require patient consent. It 
is important that we protect the privacy of sensitive patient 
information, but we shouldn't do the one thing that would kill 
digitizing medicine, complicating the normal and routine in 
medical treatment by requirements with which patients would 
have a difficult time in complying.
    We heard the Chairman talk about codifying the Office of 
the National Coordinator on Health Information, that it could 
be a positive step. I wait to hear the testimony of the panel 
in front of us today. Five years ago when I arrived here, this 
was talked about as something that was going to bring great 
change to the information technology community and medicine and 
5 years later it hasn't happened, and yet the private sector 
has moved forward with several initiatives that I think are 
extremely compelling, and I do hope we get to visit about those 
today. The standards, the interoperability. My understanding is 
there are private companies out there now who are dealing with 
this and dealing with it quite successfully. So I wonder why we 
need to codify that into Federal law. But maybe I am wrong. And 
I will certainly be willing to listen to that testimony.
    I am uncertain whether providing the financial incentives 
such as grants will be effective. We have great testimony from 
Dr. Stack and I certainly look forward to hearing his 
information, but I would be remiss if I did not mention the one 
thing that he brings out in his testimony, this 10 percent 
reduction in physician reimbursement rates that we built into 
the structure that is happening in less than 4 weeks time. It 
is critical that we address that. I urge my colleagues to look 
at 6129, that would temporarily halt those cuts for 7 months 
fully paid for by the same offset we used in the Medicaid 
moratorium. So I certainly appreciate the AMA being here this 
morning and bringing that issue to our attention.
    This committee does not have jurisdiction over antitrust-
related issues and we have to address that in order to further 
use and encourage the deployment of health information 
technology. I believe the administration's rule in providing an 
exception to the physician's self-referral prohibition at a 
safe harbor under the anti-kickback statute are certainly short 
of the mark as far as the underlying changes we need to make in 
the Starr clause to fully integrate our solo or group medical 
practices and integrate those with the emergency room at the 
hospital. Allowing for the donation of equipment or an 
electronic health record is a good first step, but the law 
still prohibits closer contractual agreements between doctors' 
offices, hospitals and other health care providers.
    I have introduced other legislation, 5885, the Health 
Information Technology Promotion Act of 2008, that would 
accomplish just that. I think we need to tackle this artificial 
legal separation in order to do what many of the advocates say 
they want to do and bring medicine into the digital economy.
    Thank you, Mr. Chairman. I will yield back.
    Mr. Pallone. Thank you. I recognize our vice chair, Mr. 
Green, for an opening.

   OPENING STATEMENT OF HON. GENE GREEN, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Green. Thank you, Mr. Chairman, for holding the hearing 
on the discussion draft of the health information technology 
and privacy legislation. There is no question that widespread 
use of electronic health records and the need for prescribing 
will bring tremendous benefits to the health care sector and 
the patients it serves. We know that health IT is a potential 
for health care savings and for coordinating care.
    For a number of years, I have introduced a bill called the 
Generic Assessment and Chronic Care Coordination Act. This lack 
of coordinated care in our country is startling. But if we 
could coordinate our care through health IT, we would have the 
potential to change our health care system. We have always seen 
electronic health records and need for prescribing as a goal, 
but have been less certain on how to reach that goal. However, 
I think that the perfect example for the need for health IT is 
what happened during Hurricane Katrina. In Houston, we welcomed 
more than 150,000 residents from New Orleans and Louisiana. And 
the only example we had of being able to treat those folks was 
the electronic records system that was developed within the VA 
and the medical professionals at Houston VA Medical Center were 
able to access the health records for the evacuees who had 
typically received care at the VA hospital.
    I stood out at the Astrodome and watched people getting 
triaged because they didn't bring their medicine, they didn't 
remember what type of medicine they brought. But with the 
veterans, we were able to get their care very quickly. So with 
this information in hand, there is no doubt that our VA doctors 
were able to provide the evacuees with better care.
    We need to determine the best approach to create a 
comprehensive system that operates effectively and yields 
significant benefits for both patients and providers. We also 
need to ensure that our systems are interoperable so that we 
can actually achieve our goal of coordinating care in our move 
to facilitate the implementation of health IT. Let us make sure 
that the privacy laws have been enacted to protect our 
patients.
    Make no mistake that today's paper records should be behind 
us and it is a matter of efficiency and quality care. We have 
overwhelming support on both sides of the aisle for the 
development of the health information technology, and I am 
pleased the committee draft worked in a bipartisan manner to 
come up with this. And I look forward to hearing from our 
witnesses.
    And with that, Mr. Chairman, again thank you for the 
hearing. I welcome our witnesses and yield back my time.
    Mr. Pallone. Thank you, Mr. Green. Next I recognize for an 
opening statement the ranking member of the full committee, Mr. 
Barton.

   OPENING STATEMENT OF HON. JOE BARTON, A REPRESENTATIVE IN 
                CONGRESS FROM THE STATE OF TEXAS

    Mr. Barton. Thank you, Mr. Chairman. Today we are reviewing 
a bipartisan discussion draft that has been developed with our 
stakeholders in the staffs of both the Republican and the 
Democrat members of this subcommittee and full committee. The 
draft before us today is largely based on what we have heard 
from the health IT community. They believe and it is most of us 
on this subcommittee believe something must be done to 
accelerate the widespread adoption of health IT.
    The discussion draft that we have today reflects the need 
to push forward to establish the public/private partnership 
with the government and the market to develop and implement a 
truly interoperable health care system so that every person in 
this country will have an electronic medical record by 2014. I 
applaud this goal. I applaud this product. I believe that 
health IT holds the promise of actually providing some real 
savings in overall health care spending as well as improving 
health outcomes for patients.
    The discussion draft before us today reflects the need to 
look at how health information currently moves through the vast 
health care system to provide providers and plans and their 
business associates and identifies a few gaps where the current 
HIPAA regime could be strengthened. I will name just a few.
    First, the draft promotes better enforcement against 
parties that cause the harm. Today if a business associate is 
the party that improperly used or disclosed the participant's 
information, there is no HIPAA enforcement by the government 
against the business associate. This gap is filled in by the 
discussion draft.
    The draft also provides patients with the right to know 
when a breach of their information has occurred. There is 
currently no breach notification requirement in HIPAA. This gap 
is also filled in in the discussion draft.
    Mr. Chairman, let me express my gratitude to you and to 
full committee Chairman Dingell for the opportunity to work in 
a bipartisan basis. I think this draft shows that when we do 
really work in a bipartisan basis, we can work together through 
the committee to build legislation that will work. I would ask 
our colleagues on both sides of the aisle to continue to work 
on this product to fine-tune it at the subcommittee and full 
committee level so we can move a bill through committee and on 
to the floor and hopefully on to the other body and pass a bill 
that the President can sign this year.
    I yield back the balance of my time.
    Mr. Pallone. Thank you. The gentlewoman from California, 
Mrs. Capps.

   OPENING STATEMENT OF HON. LOIS CAPPS, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Mrs. Capps. Thank you, Chairman Pallone. And I appreciate 
the fact that we are having this hearing today and for your and 
Chairman Dingell's tireless work to get a bill moving on HIT 
and privacy. And I appreciate the array of witnesses, expert 
witnesses, that we have here for this hearing. The issue that 
is before us has been percolating for years and it is a credit 
to you both, Chairman Dingell and Pallone, that we are moving 
forward today.
    Health care is probably one of the last few industries that 
is dominated by a paper-based recordkeeping system. As a nurse, 
I know all too well what it is like to try to maintain a 
bulging cabinet--several cabinets filled with medical files. I 
also know what it is like to try to read through a large file 
containing years of information often haphazardly organized and 
perhaps with some important pieces having slipped away.
    It is quite frustrating that while I can be confident in J. 
Crew having a record of what color and sized pants I ordered in 
2002, my physician may not know the last time I had a tetanus 
shot.
    A national standard for implementation of electronic health 
record systems is long overdue, and I am very supportive of 
Titles I and II of the draft bill that address adoption and 
testing.
    It is my hope that today we can discuss some issues of 
great importance. Countless breaches of personal health 
information have occurred over the last several years as 
electronic records have become more common. First and foremost, 
we lack a clear definition of privacy and the right to privacy 
and security with respect to personal health information. I 
believe defining this right is key to ensuring greater 
protection for our patients.
    Furthermore, we need to specify language regarding the 
segregation of sensitive health information which was 
recommended by the National Committee on Vital Health 
Statistics.
    Other areas of improvement I would like to see are public 
lists where security breaches have occurred and a more explicit 
mandate of security measures like encryption and audit trails.
    I do want to thank the Committee for putting together this 
draft. It is a great way to start this conversation and for 
seriously considering the important privacy issues that need to 
be addressed. Expanding the scope of which entities are covered 
is crucial.
    So Mr. Chairman, I thank you for all of your attention to 
these issues, and I do look forward to continuing to work with 
you and with all of us on them. And thank you and I yield back.
    Mr. Pallone. Thank you, Mrs. Capps. The gentleman from 
Pennsylvania, Mr. Murphy, recognized for an opening statement.

   OPENING STATEMENT OF HON. TIM MURPHY, A REPRESENTATIVE IN 
         CONGRESS FROM THE COMMONWEALTH OF PENNSYLVANIA

    Mr. Murphy. Thank you, Mr. Chairman. I am happy to see this 
bill being considered by committee. A couple of years ago, my 
friend Patrick Kennedy and I had introduced legislation dealing 
with health information technology and seeing that at that time 
as an important cost savings and patient quality and patient 
saving measure. We have a $2 trillion health care system in 
this country and some $400 to $500 billion of that each year is 
wasted, wasted on unnecessary tests of avoidable complications 
and several other elements where you see the system not working 
as well.
    All of us have experienced in our families sometime when 
someone got an X-ray, you showed up at the doctor's office and 
he said do you have that X-ray with you. No is your response, I 
didn't carry this large package with me. That is OK, he will 
say, we will just order another and another and another and 
another. And those costs add up. And it is the death by those 
thousand cuts that is crippling the cost of our health care 
system. By adopting electronic medical records, we can reduce 
health care costs perhaps as much as 30 percent. RAND 
Corporation said $162 billion in direct savings and perhaps 
another $150 billion a year in otherwise lost work time and 
lost wages and lost productivity. We can save massive amounts.
    We also have to understand just in terms of what this means 
for patient frustration and those darn clipboards we have to 
fill out on every floor of every hospital that don't get to the 
next department to make it on. Like my colleague across the 
aisle, I too, when I have worked at hospital, would oftentimes 
be seeing patients, and as pediatric patients may only be a few 
weeks old or a few years old and yet there would be voluminous 
files and somehow in a few minutes we would have to go through 
those and find important information, information that if we 
had at our finger tips could make a huge difference in cost 
savings and an improved diagnosis and care of the patients.
    I hope we get to a point in this Nation when it is seen as 
commonplace and people will feel comfortable with carrying a 
credit-card sized medical record in their wallet that they are 
assured is private and secure and safe. I want to know that 
myself or family members if they are ever in an accident or 
unconscious, someone can access that easily and readily but 
with proper security and proper confidentiality.
    It seems to me in this Nation if we figured out a way to 
prevent nuclear missiles from launching, we ought to be able to 
figure out a way to keep patient records safe and private in 
whatever mechanisms are possible. But what we have to see here 
is a way of using this aggressively to lower health care costs 
by improving patient safety and patient quality.
    I am delighted to be here and look forward to either 
hearing or reading about the testimony today. We have some 
people that have some great experience on what has been done. I 
am looking forward to that. And, Mr. Chairman, I think this is 
a vitally important bill to move forward and move forward on 
this. It literally will help us save lives. I yield back.
    Mr. Pallone. Thank you, Mr. Murphy. The gentlewoman from 
Wisconsin, Ms. Baldwin.

 OPENING STATEMENT OF HON. TAMMY BALDWIN, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF WISCONSIN

    Ms. Baldwin. Thank you, Mr. Chairman. I appreciate the fact 
that you are holding this important hearing today. I am really 
happy that we are taking time today to focus on health care IT. 
Like many of the other members who have spoken before me, I 
wanted to add my voice of support. I would also like to commend 
Chairman Dingell, Chairman Pallone, Ranking Member Barton, and 
Ranking Member Deal for working together to create the health 
care IT discussion draft that we will be reviewing and 
examining today. Congressional action on this topic I think is 
long overdue, and I am hopeful that we can continue to work in 
a bipartisan spirit and take some first steps on supporting and 
encouraging health care IT adoption.
    It is easy to understand why health care IT is so popular. 
The potential for error reduction, reduction of duplicative 
tests and exams, the decision support that is provided with 
many of the health care IT packages, it has such potential for 
improving patient care, making better use of scarce resources, 
and frankly the collection of data for research potential is 
huge. Imagine the opportunities for medical collaboration with 
health care IT that it can provide a rural doctor who needs to 
consult with a specialist who is hundreds and maybe even 
thousands of miles away, or imagine the research potential that 
this deidentified or anonymized electronic data holds to learn 
and understand things like dangerous side effects of a widely 
prescribed drug as just one example.
    So I am encouraged that we are taking up this important 
topic. I am glad to see that the discussion draft codifies the 
Office of the National Coordinator for Health Information 
Technology. This is a basic and first step that is long 
overdue. I am also glad that the discussion draft provides some 
much needed resources for providers to adopt health care 
information technology into their practices: The financial 
barrier to health care IT adoption is very significant and 
these resources will help ensure that all Americans have access 
to health care IT systems as a part of the health care they 
receive.
    So again, Mr. Chairman, thank you for holding this hearing 
and thank you to the witnesses who are about to testify.
    Mr. Pallone. Thank you. The gentlewoman from California, 
Ms. Solis, recognized for an opening.

 OPENING STATEMENT OF HON. HILDA L. SOLIS, A REPRESENTATIVE IN 
             CONGRESS FROM THE STATE OF CALIFORNIA

    Ms. Solis. Thank you, Mr. Chairman. I also want to commend 
you for convening this hearing today. As the development and 
implementation of health information technology moves forward, 
I would like to just bring up the notion that we do not leave 
communities of color and underrepresented communities behind. 
Latinos, Asians, African-Americans and Native Americans face a 
wide range of health care disparities, including lack of access 
to health insurance and lack of diverse health professionals, 
and bear a disproportionate burden of impact of chronic and 
preventable diseases.
    According to the National Association of Community Health 
Centers, only 8 percent of health centers are using electronic 
health record systems compared to 18 percent of private office-
based primary care physicians. I am proud that the South 
Central Family Health Center in Los Angeles has taken the lead 
in planning health IT activities for the Community Clinic 
Association of Los Angeles County. They recently received a 
grant from the Health Services and Resource Administration to 
help plan for adoption of electronic health records and other 
IT innovations.
    This is a good step in the right direction, yet many of the 
individuals that I represent in Los Angeles County represent 
low-income families who are under-insured and uninsured and 
depend on community health clinics and a safety net hospital 
system to provide and receive their care. Many of these health 
care providers, especially community migrant and homeless 
health centers, do not have the ability to adopt health IT.
    I am pleased at least today that the discussion draft 
before us will help provide funds for health IT for such 
organizations. I believe that HIT holds promise as a tool to 
reduce health care disparities by ensuring that language 
assistance is also present to facilitate effective 
communication between health care professionals and their 
patients with limited English proficiency. In L.A. County 
alone, nearly one out of three residents, or approximately 2.5 
million people, speak a language other than English at home. 
However, health IT standards must take into consideration 
persons with limited English proficiencies. This is why I will 
be asking the GAO to examine health IT standards and language 
access and believe we must ensure that underrepresented 
communities and those who provide care to them are part of the 
process and solution.
    I look forward to hearing from our witnesses. I just want 
to make one last note, that the Health and Human Services 
Office of Civil Rights has a tremendous workload now. And I 
believe that business associates should also be accountable for 
violations of the HIPAA privacy rule. The Office of Civil 
Rights, as you know, is already overburdened by existing 
privacy complaints, and consequently complaints related to 
discrimination, language access and racial and ethnic health 
disparities are not being adequately addressed in my opinion. 
And I hope that we can find ways to make sure that the Office 
of Civil Rights will have adequate resources and personnel to 
conduct these additional duties.
    So I thank the witnesses today and I thank the chairman for 
having this hearing.
    Mr. Pallone. Thank you, Ms. Solis. And next for an opening 
statement, the gentleman from New York, Mr. Towns.

 OPENING STATEMENT OF HON. EDOLPHUS TOWNS, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF NEW YORK

    Mr. Towns. Mr. Chairman, I would like to waive my opening 
statement and basically to thank you and, of course, Dingell 
and, of course, Deal and everybody who put together this 
working document. And I think that it is important that we move 
forward with this because when we look at disparities and all 
of that I think that this provides us an opportunity to correct 
a lot of things that are going on. And let me just make this 
statement and then I am going to close, that when it comes to 
health and health record, it is amazing what is going on out in 
the world. You know, a whole hospital closed and, of course, 
the records were just thrown in the street and--I mean, that to 
me is just unbelievable in this day and age.
    So I think that when we look at the health IT, I think that 
maybe we will be able to empower people that need to be 
empowered when it comes to their health and the health care. 
So, Mr. Chairman, thank you very much and I yield back.
    Mr. Pallone. Thank you, Mr. Towns. I think that concludes 
our opening statements by members of the subcommittee. So we 
will now turn to our witnesses. And I see the panel is seated 
in front of us. I want to welcome all of you here today. And 
let me introduce the members of the panel. I will start from my 
left to right.
    First is Dr. Steven Stack, who is a Member of the Board of 
Trustees and Chairman of the HIT Advisory Group for the 
American Medical Association. Then is Dr. Byron Thames or 
Thames, AARP Board of Directors from here in D.C. And then we 
have Ms. Frances Dare, who is Director of Cisco Internet 
Business Solutions Group from Richardson, Texas. And Mr. Marc 
Reed, who is Executive Vice President of Corporate Human 
Resources for Verizon Corporation. And then we have Mr. James 
Ferguson, who is Executive Director, Health IT Strategy and 
Policy for Kaiser Permanente. And welcome next is Dr. Joycelyn 
Elders, who is the former U.S. Surgeon General. Thank you for 
joining us today. And she is also Co-Chair of the African 
American Health Alliance out of Little Rock, Arkansas. And then 
we have Dr. Deborah Peel, who is Founder and Chair of the 
Patient Privacy Rights Organization in Austin, Texas. And 
finally Ms. Deven McGraw, who is Director of the Health Privacy 
Project for the Center for Democracy and Technology here in 
Washington, D.C.
    And he is not speaking today, but I did want to mention 
since he came in--I mentioned him in my opening statement--is 
freeholder Jim Carroll from Bergen County, New Jersey, who as I 
mentioned before has taken the initiative in trying to spread 
health IT throughout our medical centers in the northern part 
of New Jersey. Thank you for being here today as well.
    The way we operate I think you know is that we essentially 
hear 5-minute opening statements from each of you. Try to limit 
it to that if you can because we have a big panel. Your 
statements become part of the hearing record. And we may at the 
discretion of the subcommittee submit additional brief and 
pertinent statements in writing, questions essentially for you 
to follow up on later. And I will now recognize Dr. Stack to 
begin.
    Dr. Stack. Thank you.
    Mr. Gordon. Mr. Pallone, I am sorry. I was in a markup. But 
could we ask by unanimous consent that I be able to give a 
brief opening statement or is that too out of order?
    Mr. Pallone. No, it is not out of order. Without objection, 
so ordered. And Dr. Stack will let Mr. Gordon make an opening 
statement.
    Mr. Gordon. I want to say nice things about you, but I need 
to find it.
    Mr. Pallone. You don't have to say nice things about me, 
Bart.

  OPENING STATEMENT OF HON. BART GORDON, A REPRESENTATIVE IN 
              CONGRESS FROM THE STATE OF TENNESSEE

    Mr. Gordon. OK. Again, thank you, Mr. Chairman, for 
allowing me to have this opportunity. And I want to make very 
clear that I fully support Chairman Pallone and Chairman 
Dingell's efforts to have Congress play a more active role in 
developing a national electronic health care record 
infrastructure. The goal of this draft legislation is to 
promote and improve current Federal efforts. HHS is behind 
schedule and little progress has been made since the 
President's announcement in 2004. In addition, HHS has yet to 
develop a strategic plan on how it intends to proceed.
    If we want to develop a seamless network of electronic 
health care information, key components are the technical 
standards to ensure interoperability, security, and electronic 
authenticity for confidentiality. However, technical assistance 
alone is not enough, there must be also be technical 
conformance tests and test beds to guarantee software products 
meet the required standards.
    When the financial services, banking, retail, and 
manufacturing and telecom industries faced similar challenges 
in developing these technical standards and conformance tests, 
they turned to a single Federal agency for assistance, the 
National Institute of Standards and Technology, or NIST. 
Working with these industries in the private sector, NIST 
developed standards and tests that have been beneficial for 
NIST efforts. Last year, the Committee on Science and 
Technology reported out a bipartisan bill to use NIST in 
addressing these technical issues. Through resolution of 
technical hurdles, it is necessary first--the first step toward 
broadly developing health care IT, it is important that 
Congress takes a comprehensive approach to addressing this 
issue.
    I believe this bill we are discussing today does that. The 
draft legislation highlights the importance of technical 
standards and conformance tests and acknowledges NIST's 
experienced and proven track record.
    I want to thank Chairman Pallone and Chairman Dingell for 
working with me in addressing this key issue. Most of the focus 
of EHR has been as cost saving measures. As we recall, a CBO 
report stresses EHRs have the potential to significantly reduce 
costs. However, our focus should also be on the demonstrative 
fact that a fully operable EHR system can improve patient care 
and make it easier for our health care professionals to do 
their job. Health care costs are important. However, the bottom 
line is we should make every effort to improve the quality and 
efficiency of care delivered to our constituents.
    Once again, I want to thank you, Chairman Pallone, and 
Chairman Dingell and your staff for working with us and putting 
it together, as well as the minority. This has been a good 
collaborative effort and we are going to get a good bill and a 
good product. Thank you.
    Mr. Pallone. Thank you. Would the gentlewoman from North 
Carolina like to make an opening statement?
    Mrs. Myrick. No. I will waive.
    Mr. Pallone. OK. Thank you. We will go back to our panel 
and start with Dr. Stack. Thanks.

STATEMENT OF STEVEN J. STACK, M.D., MEMBER, BOARD OF TRUSTEES, 
   CHAIRMAN, HIT ADVISORY GROUP, AMERICAN MEDICAL ASSOCIATION

    Dr. Stack. Good morning. My name is Steven Stack, and I am 
a practicing emergency physician and Chairman of the Department 
of Emergency Medicine at St. Joseph Hospital East in Lexington, 
Kentucky. I also serve as a trustee on the Board of the 
American Medical Association. Thank you for the opportunity to 
testify on health information technology and some of the ways 
we can make these advances work for patients and physicians.
    The AMA commends the subcommittee for both its work to 
accelerate the transition to an interoperable nationwide HIT 
infrastructure and for highlighting the important role of the 
Federal Government in advancing the technological 
transformation of the health care industry. When properly 
implemented in a connected environment, widespread HIT adoption 
has the potential for transforming the practice of medicine by 
putting critical clinical information in the hands of 
physicians at the point of care.
    As an emergency physician serving the patients of central 
Kentucky, I can't emphasize enough how essential it is to have 
rapid access to complete and accurate appellant information in 
the fast-paced, information-poor environment of the emergency 
department.
    In my clinical practice, a robust nationwide HIT system 
would be an invaluable tool in the provision of high quality, 
at times life altering care for those in need of urgent 
treatment. Recognizing the potential benefits of HIT, many 
physicians are already considering the incorporation of HIT in 
their practices. But we realize that we still have a long way 
to go. To aid this process, constructive solutions to several 
persistent challenges will make HIT not only desirable, but 
also a viable and embraced patient care tool. It is in the 
creation of these solutions that we believe that the government 
has an important facilitating role to play along with the 
broader health care community.
    To that end, we commend you for your proposed roadmap that 
clarifies the role of the Office of the National Coordinator 
for HIT as a driver and strategic planning for the development, 
adoption, and use of HIT. Efforts such as this will help in the 
creation of a robust HIT network that efficiently and reliably 
moves data smoothly among health care providers.
    Additionally, the AMA agrees that the establishment of 
advisory committees comprised of expert stakeholders who would 
develop and recommend the technical standards, connectivity, 
implementation, and interoperable specifications and 
certification criteria is needed. And with their central role 
in the successful implementation and clinically use of those 
advanced systems, we strongly recommend greater physician 
representation and involvement in this process.
    As we work to create an interoperable nationwide HIT 
network, AMA would also like to thank the committee for working 
to strengthen the HIPAA privacy rule. Holding all parties with 
access to patient health information directly accountable for 
compliance with privacy standards is critical. In an electronic 
era where sensitive information can be made public with the 
touch of a button, constant vigilance to privacy concerns is 
imperative to preserve the rights and trust of our patients. 
This vigilance, however, should not become a barrier to the 
advancement of HIT, which offers great potential to improve the 
quality, safety, and efficiency of patient care.
    Physicians are eager to embrace HIT. I would be remiss, 
though, if I don't remind us all that physicians are operating 
with progressively thinner or negative revenue margins. So 
financial incentives really are a critical factor in impacting 
the adoption rate. In fact, a full two-thirds of physicians say 
they will be forced to defer HIT and other technology purchases 
if this year's Medicare payment cuts occur as planned on July 
1st. While some large health systems and hospitals have the 
necessary financial and human resources to adopt electronic 
medical records, many small physician practices, small business 
America, simply can't. It is truly essential, therefore, that 
financial incentives be made available and easily accessible, 
particularly to smaller physician practices which face the 
greatest technological, operational, and financial challenges.
    I sincerely appreciate this opportunity to share our 
thoughts on your proposal for accelerating our Nation's move to 
an interoperable nationwide HIT infrastructure. We at the 
American Medical Association are actively working with 
physicians and other health care stakeholders to accelerate the 
adoption and realize the significant benefits of HIT. We thank 
you for the work of your committee, and we look forward to 
continued collaboration with you for the benefit of our 
patients.
    [The prepared statement of Dr. Stack follows:]
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    Mr. Pallone. Thank you, Dr. Stack. Dr.--is it Thames or 
Thames?
    Dr. Thames. Thames, Mr. Chairman.
    Mr. Pallone. Thames. Thank you.

    STATEMENT OF BYRON THAMES, M.D., MEMBER, AARP BOARD OF 
                           DIRECTORS

    Dr. Thames. Mr. Chairman, members of the Committee, my name 
is Byron Thames. I am a physician and a member of AARP's Board 
of Directors. Thank you for holding this hearing on one of 
AARP's highest priorities, enacting legislation to promote 
health information technology this year.
    Health IT is an essential building block for health reform 
with enormous potential to improve the effectiveness and 
efficiency of health care. We commend Chairman Dingell and 
Ranking Member Barton for crafting thoughtful, bipartisan draft 
legislation. This marks real progress towards our goal of 
enacting health IT legislation this year which we shared with a 
broad range of stakeholders. In fact, the need for health IT is 
one of the first areas of consensus AARP found with our allies, 
and Divided We Fail is a nonpartisan effort led by AARP, the 
Business Roundtable, the National Federation of Independent 
Business and Service Employees International Union, to ensure 
that all Americans have access to affordable quality health 
care and financial security.
    Consumers want the vast benefits health IT can provide for 
many reasons. Health IT can help us reduce medical errors, 
saving both lives and money. It can provide access to 
comprehensive medical records any time, anywhere. It can 
eliminate the need for redundant tests and paperwork. It can 
help to engage consumers in managing their own care. It can 
help us to quickly identify public health threats and the most 
effective, efficient ways of providing care.
    Health IT also can enhance privacy protections in many 
ways. Today's paper-based records allow anyone who can gain 
access to the files to share sensitive information with little 
chance of detection. Health IT can establish firewalls and 
leave an audit trail of who accessed or altered sensitive, 
personal health data.
    Health IT also raises new privacy concerns. The potentials 
for breaches, data mining, and misuse of sensitive data is real 
and could undermine consumer confidence in health IT unless we 
have privacy rules that consumers can trust. But we should not 
be forced to choose between health IT and privacy.
    We also need to be pragmatic in how we address privacy. 
Requiring consent anytime records are shared may sound 
reasonable at first, but would be unworkable in practice. It 
also could have unintended consequences like promoting blanket 
consent forms that weaken protection and create a false sense 
of security.
    What we need instead is a package of privacy policies that 
limits data collection and use, ensures patients access to 
information, and provides rigorous user authentication and 
other appropriate mechanisms to address security.
    Because establishing workable privacy protections is so 
complex, AARP believes the best approach is that taken in the 
Dingell-Barton draft legislation. It establishes a framework, 
including basic protections such as requiring that people be 
notified if their privacy is breached. It then leaves more 
detailed privacy policies to an advisory board operating under 
Federal Advisory Committee Act rules that ensure openness and 
accountability. The Dingell-Barton discussion draft also 
provides grants to providers who are small, rural, nonprofit, 
or serving underserved communities. This is essential for 
ensuring that underserved communities reap the full benefit 
that help IT promises in improving quality and reducing health 
disparities.
    So, again, we commend this committee for its leadership on 
this vital issue. We look forward to working with you to ensure 
passage of health IT legislation this year; and at the 
appropriate time, I will be happy to answer any questions. 
Thank you very much.
    Mr. Pallone. Thank you, Dr. Thames.
    [The prepared statement of Dr. Thames follows:]
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    Mr. Pallone. Ms. Dare.

 STATEMENT OF FRANCES DARE, DIRECTOR, CISCO INTERNET BUSINESS 
                        SOLUTIONS GROUP

    Ms. Dare. Mr. Chairman, Ranking Member, members of the 
subcommittee, my name is Frances Dare, and I am Director of the 
Healthcare Consulting Practice for Cisco's Internet Business 
Solutions Group. My colleagues and I work with Cisco's health 
care customers to transform their organizations both with 
advanced technologies and with business process innovation. I 
am pleased to be here today to offer Cisco's views on the HIT 
legislation the subcommittee will consider.
    Cisco has a very strong commitment to health care not only 
as a technology company serving our customers, but as a self-
insured employer. We provide health insurance coverage and 
health benefits to more than 90,000 U.S.-based employees and 
their dependents.
    HIT is an essential enabler of U.S. health transformation, 
and Cisco's vision is a world of connected health that creates 
collaborative relationships among all stakeholders to enable 
safe, affordable, and accessible health care. Connecting people 
with interoperable processes and technologies, connected health 
provides critical information and health services anywhere, 
anytime.
    HIT alone does not solve all of health care's challenges, 
but few of the problems facing health care can be solved 
without health care as a critical enabler.
    We favor legislation that promotes and even accelerates the 
adoption of HIT. Legislation at this time can help reignite 
momentum for a national HIT agenda. The draft bill speaks to 
many of the key elements needed for successful industry 
transformation, and my written comments address many of the 
bill's key provisions.
    This morning I would like to spend just a couple of minutes 
highlighting the importance of the Federal Government's 
purchasing power and its own HIT investment strategy. As 
members of the subcommittee know, the Federal Government is the 
largest single health care purchaser of health care in this 
country. As such, it should be the Nation's most committed and 
sophisticated HIT consumer. It becomes the best custodian of 
tax dollars when Federal agencies purchase standards-based 
technologies to administer or sponsor health programs.
    We support the draft provision that requires agencies to 
buy standards-compliant technology systems as they implement, 
upgrade or acquire HIT. With the Federal purchasing 
requirement, the Federal Government essentially aggregates 
demand and coalesces the market in an otherwise fragmented 
industry. When the largest single customer in any industry--and 
for U.S. health care, that is the Federal Government--brings 
the industry together and endorses investments and standards-
compliant IT, it reduces market uncertainty, and that spurs 
investment by private sector technology companies.
    The government's spending requirements in the draft bill 
focuses on HIT use for the direct exchange of individually 
identifiable health information. We encourage revisions to make 
the draft consistent with the Eshoo-Rogers bill language that 
includes HIT for clinical care and also for the electronic 
retrieval or storage of health information. Private sector 
support for HIT standards and certification is clear from the 
success of the certification commission for health care 
information technology, otherwise known as CCHIT. More than 40 
percent of ambulatory EHR vendors, representing an estimated 
three-quarters of total EHR market penetration, receive CCHIT 
certification in the first year, voluntarily participating.
    The Federal Government also has an opportunity to 
accelerate market forces using other incentives to promote HIT. 
We recommend the national coordinator work with the Secretary 
of HHS and the Director of CMS to create forward-thinking 
reimbursement policies, for example, Medicare reimbursement for 
remote consultations between physicians and their patients 
utilizing secure messaging technologies. As well, telemedicine 
solutions and other HIT can really redefine access to care when 
reimbursement practices recognize the services provided and the 
treatment rendered regardless of location, rather than time 
reimbursement to specific clinical settings such as physician 
practices.
    Before closing I would like to highlight one other key 
topic. Americans do remain concerned that their health 
information could be vulnerable to misuse. Federal legislation 
should create a clear trigger for notification when a breach of 
protected health information presents a reasonable risk of 
significant harm, medical fraud, identity theft, or other 
unlawful contact.
    Technology vendors continually develop solutions to make 
patient data more secure. The draft legislation recognizes that 
security measures should create presumption of no reasonable 
risk if unusable data is breached. We encourage Congress to 
fully address the need to render data unusable rather than 
requiring specific technologies such as encryption.
    In closing, we urge the Committee and the House to take up 
the draft legislation in the coming weeks. We commend the 
Chairman and Ranking Member for drafting a strong bipartisan 
draft that can be enhanced through the legislative process and 
passed into law this year. Thank you.
    Mr. Pallone. I thank you, Ms. Dare.
    [The prepared statement of Ms. Dare follows:]
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    Mr. Pallone. Mr. Reed.

STATEMENT OF MARC C. REED, EXECUTIVE VICE PRESIDENT, CORPORATE 
      HUMAN RESOURCES, VERIZON COMMUNICATIONS GROUP, INC.

    Mr. Reed. Good morning, Mr. Chairman, Congressman Deal and 
members of the Committee. My name is Marc Reed, and I am the 
Executive Vice President of Human Resources for Verizon 
Communications. I am pleased to be here today to offer my 
company's support for and comments for the draft health 
information technology and privacy legislation.
    With nearly a quarter of a million employees plus 
dependents and retirees, Verizon Communications provides health 
care to approximately 900,000 Americans at an annual cost of 
about $4 billion. We have a very big stake in creating a high 
quality health care system that is both affordable and 
accessible. For us, health IT must be a critical piece of such 
a system, and our actions demonstrate our commitment.
    Verizon has been involved in a number of critical efforts 
to accelerate health IT including participating in the Federal 
Commission's Systemic Interoperability, the American Health 
Information Community, the Health IT Now! Coalition and through 
the Business Roundtable's Consumer Health and Retirement 
Initiative.
    But perhaps the best demonstration of our support of health 
IT is that we have implemented elements of health IT for our 
employees. The Verizon HealthZone initiative is an electronic 
personal health records system providing employees and their 
family members with tools and resources to help make well-
informed decisions about their health care. We believe that the 
more you know about your health, the better you can improve, 
maintain and manage it.
    Health care is one of the few segments of the American 
economy not to have been transformed by modern, efficient 
information technology. My written testimony outlines the 
benefits of health IT. Your commitment to drafting the 
legislation demonstrates that you understand the value it will 
offer.
    Now I would like to comment on the key components of the 
draft legislation you have circulated. We support the following 
items that are contained in the draft legislation.
    First, we support development of uniform interoperable 
standards. This draft legislation codifies the work of the 
Office of the National Coordinator in its role in establishing 
the strategy to develop and implement the standards for 
interoperability. We support this. We believe that this effort 
should build upon the work.
    Second, standards must be developed with the establishment 
of two different advisory committees. One group of expert 
stakeholders should provide policy input to the appropriate 
bodies. The second group should be a public-private partnership 
of key purchasers and others who can influence the setting of 
standards. There currently is an effort to form AHIC 2.0, and 
we would ask Congress to be cautious about delaying these 
current activities.
    Third, there must be support for adoption of those 
standards so that providers and payers know the systems in 
which they invest will communicate with each other. We support 
the Federal Government's using their purchasing power to 
promote adoption of standards and allowing the Centers for 
Medicare and Medicaid Services to have the authority to adopt 
these standards.
    Fourth, we support a voluntary certification process to 
ensure systems meet the standards.
    Fifth, we believe it is important that providers who cannot 
afford to buy these systems have access to grants or loans. 
This assistance should be a last resort, but it is necessary to 
ensure we have uniform adoption nationwide.
    In terms of privacy and security, we applaud the bill's 
addressing of accountability and enforcement. We believe that 
Federal law should be authorized to establish and enforce 
security standards so that private health information is 
protected through encryption or firewalls or the most up-to-
date security available. If someone intentionally breaks into 
these systems, they should be punished and enforcement should 
be at a national level.
    Because Verizon is an international company with business 
operations in all 50 States, we strongly encourage the 
Committee to create a uniform notification process that Verizon 
can follow regardless where the disclosure occurs, by 
preempting conflicting State breach laws.
    I urge all Members of Congress to vote to enact this 
legislation this year. Passage will be a big step forward 
toward creating the 21st century health system that America 
needs.
    I look forward to working with the members of the committee 
as you move forward on this issue. Thank you.
    Mr. Pallone. Thank you, Mr. Reed.
    [The prepared statement of Mr. Reed follows:]
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    Mr. Pallone. Mr. Ferguson.

 STATEMENT OF JAMES A. FERGUSON, EXECUTIVE DIRECTOR, HEALTH IT 
              STRATEGY & POLICY, KAISER PERMANENTE

    Mr. Ferguson. Thank you for the invitation to be here 
today. I am Jamie Ferguson, Executive Director of Health IT 
Strategy and Policy for Kaiser Permanente, which is the 
Nation's largest integrated health care delivery system with 
more than 8.7 million members. My work focuses on expanding our 
IT capabilities and interoperability both within Kaiser 
Permanente and with other entities in patient care and 
population health.
    We have made significant investments in every area of 
health IT. We have the world's largest civilian deployment of 
AHR for 8.6 million people. We have implemented it in 421 
medical offices, and we have deployed pharmacy and 
administrative functions in all of our hospitals. We have 
rolled out computerized physician order entry in 15 hospitals 
and expect to have 25 done by the end of the year.
    Our early results demonstrate that health IT helps to 
improve care. Our online personal health record has more than 2 
million active users, which is the world's largest user base of 
online PHRs. In addition to millions of online prescriptions 
and online visits, our members have had access to over 56 
million lab test results, they have scheduled 2 million 
appointments and securely communicated with their doctors over 
5 million times online.
    We promote health IT interoperability, and we are core 
participants in federally sponsored activities such as HITSP, 
CCHIT, and NHIN. We also participate in health information 
exchange in major industry initiatives and in standards 
development.
    Health information itself is unique. It is complex and 
permanent in a way that commercial or financial records are 
not. There is no way to create a clean slate for your personal 
health history. And an individual's health history may relate 
to family members.
    Today, as you requested, I would like to offer remarks on 
this draft legislation.
    Kaiser Permanente strongly supports the goals of this 
legislation. Based on our own experience, we know health IT 
offers great benefits, and this bill offers a framework for 
delivering the promise of health IT to all Americans. The bill 
promotes the adoption of health IT through the Office of the 
National Coordinator, the Health IT Policy Committee, and 
Health IT Standards Committee. We believe the role of the 
Office of the National Coordinator described in this bill 
covers the important duties to be undertaken.
    Common standards are critical to health IT. We note that 
the Standards Committee both develops the standards and reviews 
the standards, which is unusual. Typically, the development is 
done by standards organizations after which the standards are 
adopted by a committee or an agency. We suggest that the 
proposed Standards Committee could endorse standards that were 
developed by technical panels.
    Pilot testing is an excellent way to support standards 
adoption, and NIST is very well positioned for its proposed 
role in testing technical infrastructure and security, but we 
would question NIST having a role in establishing the 
certification criteria. Transitioning AHIP to the Policy 
Committee is important, but other entities such as HITSP and 
NCVHS need transitions as well.
    The bill promotes standards through Federal contracts. This 
contracting mechanism represents a big improvement over HIPAA 
in terms of speed, flexibility, and innovation. Contract 
provisions would require standards adoption by federally 
contracted health plans, but would have no requirements for 
providers. Providers are the primary users of electronic 
medical records; therefore, the contracting mechanism would be 
ineffective unless it adds requirements for providers to use 
the health IT standards.
    We are especially supportive of the grants and incentives 
in this bill for safety net providers in underserved 
communities. We have committed more than $10 million in 
technology-related investments through community benefits.
    We support the bill's intent to address the privacy and 
security of personal health information. All consumers should 
be guaranteed a minimal level of privacy and security 
protections, and consistent protections should apply equally to 
all personal health databases regardless of whether they are 
held by a HIPAA-covered entity or a noncovered entity. We 
strongly support and participate in technical innovations in 
this area, but different innovators who introduce substantially 
similar products and services should not operate under 
different levels of regulatory oversight.
    Consumers should be notified when their personal data are 
breached, and our practice is to support the California Breach 
Notification Law. We are concerned that the bill proposes 
unequal breach notice for covered entities versus PHR vendors 
when encrypted data are involved.
    The proposed restrictions on marketing practices are good 
so long as they do not prevent population health and patient 
education programs.
    We look forward to working with the Committee on developing 
language to provide both the maximum privacy protection and 
clinical benefit for patients.
    Mr. Chairman and distinguished members of the Committee, 
thank you again for the invitation to be here today. I look 
forward to answering any questions you may have.
    Mr. Pallone. Thank you, Mr. Ferguson.
    [The prepared statement of Mr. Ferguson follows:]
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    Mr. Pallone. Dr. Elders.

    STATEMENT OF JOYCELYN ELDERS, M.D., FORMER U.S. SURGEON 
      GENERAL, CO-CHAIR, AFRICAN AMERICAN HEALTH ALLIANCE

    Dr. Elders. Good morning. Thank you, Chairman Pallone, 
Honorable Ranking Member Deal and members of the Health 
Subcommittee. I am Dr. Joycelyn Elders, a former United States 
Surgeon General, the former Health Director of a rural, poor 
State with many underserved, less well-educated people without 
proper health care.
    I also want to thank Congressman Towns, Ed Towns of New 
York, renowned for his work on this committee, including his 
commitment to the reduction and ultimately the elimination of 
health disparities and health on all fronts and across all 
populations.
    The Committee's commitment to addressing inequities in 
health care for racial and ethnic communities, to addressing 
the needs of the uninsured and the underinsured, the disabled 
and the medically underserved communities including homeless 
and poor; I am steadfastly in support of this bill.
    We can go anyplace in the world and use our card to get 
money out of our bank account, but you can't go across the 
street and have a child be able to know whether they are up-to-
date on their immunizations. Most bank records, bills, personal 
communications, and security exchanges are currently maintained 
in electronic form, while the vast majority--you have heard 
this morning, less than 20 percent, only 18 percent in many 
cases--of the health information is held primarily in paper 
form. So I think this tells us something about our health care 
system.
    I know that you already know that we have absolutely the 
best doctors, the best nurses, the best hospitals, cutting-edge 
research in the world, but you also know that we do not have 
the best health care. And, in fact, we have got a very 
excellent sick care system.
    The problem is, we don't have a health care system; and I 
feel that this bill will help to serve as a connector to begin 
to bring together some of the multiple pieces of all of this 
excellence that we have to be able to impact the patients and 
their doctors in all segments of our population.
    I am concerned about all Americans and confident that if I 
advocate for the most marginalized of the American people that 
we will secure health care of equal high quality for all. I 
feel that you on this committee serve as an important group to 
be the voice and the vision for the poor and the powerless, and 
also to use your tremendous power as you can in this important 
bill by the multiple sections that it includes to make sure 
that we address the needs of all populations, because very 
often the physicians that are serving those most in need can't 
afford this system. And it is very wonderful that you have 
included grants or low-cost loans to help those most in need 
and most in need of serving.
    I am very encouraged by the hard work that Chairman Dingell 
and Congressman Pallone and ranking members have put into 
developing different pieces of this discussion draft and hope 
you use your collective wisdom to further information 
technology.
    We are encouraged by the components of the draft, including 
the codification of the Office of the National Coordinator for 
Health Information Technology. We need someone to keep this 
together in order to continue its overall effectiveness for the 
Nation and the utilization of health information technology.
    We are also encouraged by your establishment of the various 
advisory committees, which I feel will be very important and 
very critical. We like the bifurcation approach of developing 
standards using both policy setting committees and a Health 
Information Technology Standards Committee and the draft's 
establishment of a prominent standards development role for the 
National Institute of Standards and Technology.
    I mentioned earlier the importance of having and 
establishing a resource center for education and research and 
setting up grant policies that I feel are very critical. We are 
encouraged by the provisions which call in the National 
Coordinator to assess and publish the impact of health 
information technology that this will have on the underserved 
community. We all know that we have a wide disparity in health 
care within our community, and hopefully this will provide some 
help. Hence, we believe that effectively applied health 
information technology can serve to benefit all of the American 
people.
    Mr. Pallone. Dr. Elders, I apologize, but if you could 
summarize.
    Dr. Elders. I think the most important thing is, we very 
much support this bill. And we really feel that the important 
components are that you will make sure that it serves all of 
the people and that you will provide grants and the privacy 
pieces that are very important and critical.
    Thank you.
    Mr. Pallone. Thank you very much and thank you for being 
here today, too.
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    Mr. Pallone. Dr. Peel.

STATEMENT OF DEBORAH C. PEEL, M.D., FOUNDER AND CHAIR, PATIENT 
                         PRIVACY RIGHTS

    Dr. Peel. Thank you for the opportunity to testify today on 
the health information technology and privacy draft. I applaud 
everyone's hard work on this bill.
    I am Dr. Deborah Peel, and I am the founder and Chair of 
Patient Privacy Rights. We have 5,000 members. We educate 
consumers. We champion smart policies. And we are holding 
industry accountable to protect your health information.
    We also lead the coalition, the bipartisan coalition for 
patient privacy, and we represent over 7 million Americans' 
interests. I am known for being really passionate about 
privacy. My patients taught me about privacy. I know that you 
cannot have effective treatment unless patients trust that 
their physicians will be able to keep their sensitive 
information private.
    People came to me, starting 30 years ago, and paid cash 
because they had lost a job or their reputation had been harmed 
when someone saw their information that should not have. At 
Patient Privacy Rights we hear every day from people in every 
State, desperate for help.
    People have found their health records on the Internet. 
Veterans are afraid to get treatment for post-traumatic stress 
disorder, and people complain to us because employers want them 
to turn over access to their health records as a condition of 
getting employment. So while I may be passionate about this 
issue, the idea that your most embarrassing, sensitive health 
conditions should stay private and that you should control that 
information is not radical. In fact, it is conservative.
    Today, everybody wants access to health information--
employers, insurers, law enforcement--but I am here to tell 
you, electronic records systems create a real risk for patient 
privacy. My patients will tell you, the existing laws do not 
protect them. Four million people, 4 million providers and 
their employees today decide when, where, and who sees your 
health information technology. Not you.
    Today, electronic systems aren't secure. Employers and 
insurers use this information to decide if you get jobs or 
coverage. Just one prescription data miner in 2006 made $2 
billion--that is B, billion dollars. A national insurer 
aggregates themselves the data of 79 million Americans, and 
every prescription in this Nation is sold and data mined every 
day. It doesn't matter if you pay cash.
    Americans need you, all of you, to ensure progress with 
privacy in this bill. But, first, we have to have a definition 
of privacy. We don't even have one. We are not even talking on 
the same page about what that means. We lack the NCVHS IOM 
definition that health information privacy is the individual's 
right to control the acquisition, uses and disclosures of 
identifiable information; or go back to Hippocrates, 
``Whatsoever I shall see or hear of the lives of men and women 
not fitting to be spoken, I will keep inviolably secret.''
    Or in 1974, HEW, the Department of Health, Education and 
Welfare, developed the Code of Fair Information Practices. This 
is their definition: ``There must be a way for a person to 
prevent information about them obtained for one purpose, being 
used for other purposes without consent.'' Privacy means 
control over information. If you don't control your 
information, you don't have privacy.
    Congress needs to adopt a definition of health privacy. 
Please. You choose. Choose a definition. Let's start from one 
place.
    Second, we have got to restore Americans' abilities to 
control their personal health information. Codify what everyone 
assumes happens when they see a doctor, when they go to see a 
doctor. They assume that what they say in a doctor's office 
stays in the doctor's office. Ladies and gentlemen, getting 
your consent before anyone discloses your diagnosis of cancer, 
heart disease, diabetes--you name it, depression--is not 
radical. In fact, today, obtaining consent is very easy using 
smart technology.
    To accept the argument that consent is a burden or 
impractical means we accept that it is OK for industry not to 
even try and communicate with their customers. It is OK for 
those who have everything to gain to decide how your 
information is used. Well, that is not OK with us. Destroying 
the bond of trust between physicians and patients has worked 
for millennia--millennia. That is what is radical in this 
debate.
    Finally, do not delegate the power to change Americans' 
long-standing right to privacy from others. Three-quarters of 
Americans want government, not industry, to set the rules and 
privacy protections they will have. Two-thirds want government, 
not industry, to set the rules regarding secondary uses of 
information.
    The lack of privacy is harmful and it is deadly. According 
to HHS, 2 million people with mental illness don't get 
treatment because of privacy; 600,000 people with cancer are 
afraid to get early diagnosis and treatment because of privacy. 
This is from HHS that says that. One in eight Americans does 
something to put their health at risk because of privacy. They 
either see different doctors, they ask them to change 
diagnoses, they are afraid of taking tests.
    Mr. Pallone. Dr. Peel, I am sorry, but you are 1 minute 
over; if you could, please summarize.
    Dr. Peel. Let me just stop and say--I just want to say one 
other thing. I have been face to face with my patients over 30 
years and I have seen how their lives are damaged and harmed 
when information gets in the wrong hands. But I can't even tell 
you their stories because I took an oath. And if I break that 
oath and violate their trust, then I can't help them.
    Now is your opportunity; it is your opportunity to define 
privacy and make it a reality again for all Americans. I am 
really grateful for this opportunity to talk with you and to 
work with you on improving this bill and protecting Americans. 
I would ask you to please take the same oath that I do and 
protect Americans' trust in the health care system.
    Thank you so much.
    Mr. Pallone. OK. Thank you.
    [The prepared statement of Dr. Peel follows:]
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    Mr. Pallone. Ms. McGraw.

 STATEMENT OF DEVEN McGRAW, DIRECTOR, HEALTH PRIVACY PROJECT, 
              CENTER FOR DEMOCRACY AND TECHNOLOGY

    Ms. McGraw. Thank you very much, Mr. Chairman. I also want 
to thank you for the opportunity to testify here today and also 
to thank you, Ranking Member Deal, as well as Chairman Dingell 
and Ranking Member Barton and their staffs for the hard work 
that they put in on this bill.
    I am the Director of the Health Privacy Project at CDT, the 
Center for Democracy and Technology. CDT has a long history of 
expertise on Internet and information privacy issues. The 
Health Privacy Project has a decade of experience in advocating 
for privacy and security of health information, and so those 
two organizations have recently merged together in order to 
come with up with workable solutions to better protect the 
privacy and security of health information online.
    CDT supports efforts to expand the adoption of health 
information technology and health information exchange 
electronically, but we won't realize these benefits until we 
build in the right privacy and security protections. I think 
others here have testified very well that, in fact, people will 
fear having their information be part of the systems if we 
can't assure them that we have taken the right steps to protect 
their privacy and security.
    This technology actually has the tools to be better 
protective than paper, if we make people use it; but we also 
know that if we don't, the fact that this information is 
flowing more freely out there electronically, in fact, does 
magnify the risk. A box of paper records that gets stolen has 
one set of consequences. Information that is inadvertently put 
up online or was stolen from a laptop has consequences for tens 
of thousands or even hundreds of thousands of people instantly. 
We can do better.
    To really build public trust in these systems, what we need 
is a comprehensive privacy and security framework that is based 
on fair information practices, which is typically what we look 
to when we want to protect personal health information and we 
don't have to start from scratch. The HIPAA privacy and 
security rules provide a comprehensive framework, but there are 
gaps in HIPAA; and we need to build on it and fill those gaps 
for entities in the health care system and consider the fact 
that in this new environment health information is migrating 
outside of the traditional health care system and is being 
handled by companies that aren't traditional health care 
players and might be operating on a different business model.
    This draft bill begins the work of developing that 
comprehensive framework, and we are proud to support it. So we 
really are calling on Congress to think big and to have a 
comprehensive vision, but we know these topics are quite 
complex. It is not easy to think about the right privacy and 
security protections to put in place when we also need to 
consider that we want information to flow for legitimate 
purposes.
    So we are advocating for incremental implementation, which 
is one of the reasons why we like this bill. It takes critical 
steps toward the goal of a comprehensive framework by 
establishing incremental, workable privacy and security 
solutions that build on current law and target many of the new 
issues that are raised in this new environment.
    It doesn't do everything in this draft. I think we are 
going to need to continue to revisit this over time, build on 
the foundation we created in HIPAA and that, hopefully, will be 
built on with this bill; and as the systems evolve, continue to 
pay attention to this. But the discussion draft breaks the 
private logjam and allows us to move the conversation forward 
to the next level, which is really what we need to do.
    We support the provisions in the bill. I will highlight 
just a few of them. We like that it clarifies that the 
businesses' associates should be directly accountable for 
complying with the security rules and for the provisions of 
their contracts with respect to how they are able to use 
information.
    We like the breach notification provisions, although we do 
ask the committee to consider strengthening the incentives to 
use protective technologies like encryption by providing 
possibly a safe-harbor, rebuttable presumption when the data is 
encrypted that there isn't a need to notify unless for some 
reason you have information that the data encryption isn't 
working; clarification of the marketing rule, tasking HHS and 
the FTC to develop recommendations for privacy and security 
protections and breach notifications for these new entities; 
PHRs, particularly where we think they are offered by companies 
outside of the health care system, whether it is employers or 
traditional Internet-based companies. Extending HIPAA to cover 
those would not work; HIPAA's framework works for health care 
system entities, but it would have unintended consequences if 
grafted on top of this industry, which again works under a 
different business model.
    We also hope the committee will give some further 
consideration to enforcement of HIPAA either in this bill or 
subsequently down the road. I know Congressman Waxman mentioned 
earlier that there hasn't been a single civil monetary penalty 
that has been levied. We also know that the Department of 
Justice has been hamstrung somewhat by an internal memo that 
suggests that you can't get to employees of covered entities 
for criminal violations. I am happy to go into that in more 
detail, but we hope the committee will look into those issues 
further.
    Again, I thank you for your very hard work on this bill. We 
support it, and I am happy to answer any questions that you 
might have.
    Mr. Pallone. Thank you, Ms. McGraw.
    [The prepared statement of Ms. McGraw follows:]
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    Mr. Pallone. I thank all of you for your opening 
statements. We will now turn to questions, and I will start 
with myself for 5 minutes.
    The Department of Health and Human Services seeks to fully 
privatize the American health information community, which 
currently exists as a Federal advisory committee to define and 
make recommendations on the future direction and national 
strategy for health information technology. The administration 
seeks to make that entity into a private, independent entity 
referred to as AHIC 2.0; and the private entity is required to 
be self-sustaining financially, so it could be based, I fear, 
on a pay-to-play model.
    The discussion draft provides for a stronger Federal role 
in the development of policies and standards, including Federal 
oversight over timeliness of the process. My concern is that 
privatizing this entity would be a step backwards from building 
meaningful consensus and adopting uniform standards for HIT. My 
concern basically is that privatization of AHIC could undermine 
a consumer voice.
    So I want to start with Dr. Thames. Can you talk about the 
dangers of fully privatizing a body that will make policy and 
technical standards recommendations and how that could affect 
the consumer voice?
    And then I was going to ask Ms. Dare to comment on it--to 
respond to that as well.
    Dr. Thames. Mr. Chairman, I think we would agree with your 
concerns about a fully privatized service that doesn't have 
standards that have been set, like we are talking about being 
set in this draft being provided, and government oversight for 
that kind of information.
    The bill, the draft that we are looking at which requires 
that these standards' strategic plans be drawn up and that we 
go ahead with being able to schedule the privacy requirements 
that we need, we think that is a government-developed--be 
better government-developed standards with input from people 
like you have on this panel today.
    Mr. Pallone. Thank you.
    Ms. Dare, did you want to respond too?
    Ms. Dare. Thank you. We would suggest and observe that all 
of the evidence today says the best results have come with 
public-private partnerships. And we can see that with the 
current work with AHIC, with CCHIT, even the NHIN pilot where 
the government has played a role in the private sector; so we 
would want to see a continued role for government in the 
standards development process.
    We would also like to see very much the continued 
involvement of Congress in knowing the standards development 
progress and annual reports from whatever entity becomes AHIC 
2.0.
    So we think the bill speaks very well to broad stakeholder 
representation. The bill defines the variety of people to be 
involved in both the policy and Standards Committee. We think 
that it is vitally important and should include consumers. And 
I think the bill speaks well to a structure that is both public 
and private in its approach.
    Mr. Pallone. All right. Thanks.
    My second question: you know, I hear a lot from doctors or 
providers in general about the cost of HIT; even though they 
support it, where are they going to get the money up front?
    According to Health Affairs, the purchase of an electronic 
medical records system for a solo or small group practice 
averages $43,000, and the range is between $14,000 and $63,000 
in 2005. The costs obviously could be a burden on solo or small 
group practices, and I was going to start with Dr. Stack and 
ask you to discuss whether the AMA supports the grants and 
loans that are in the discussion draft and what you think the 
impact would be on the smaller solo, rural, or urban practice? 
What kind of benefits can a doctor expect to see in costs or 
quality of care and in efficiencies for the investment in 
electronic medical records they make?
    So are these costs legitimate? Do you think in the bill we 
are addressing them properly and will their benefits accrue so 
it makes sense for these types of practitioners?
    Dr. Stack. The dollar figures that you reference are ones 
we agree with entirely. There are ongoing costs, of course, for 
maintenance and service which, rounding numbers, could be in 
the ballpark of $9,000 per physician a year or some other 
figures we have seen. These are direct financial acquisition 
costs and maintenance costs.
    The other costs that are more complex to discuss are those 
that require staff training, process change, change management 
which involves often a pronounced diminishment of efficiency 
for some periods of weeks or months during the incorporation of 
a whole new system and process. It is one of the reasons you 
emphasize that the standards are so important, because when 
physician practices make this transition, it is absolutely 
imperative that that transition has a reasonable likelihood of 
sticking and serving them well for some period of years. They 
just simply can't go through that kind of change repetitively. 
So those financial costs, both direct and indirect, are very 
real.
    In an organization as big as, say, Kaiser where Mr. 
Ferguson works they can have in-house HIT specialists to help 
them to direct and purchase and make decisions and then 
troubleshoot during the implementation phase. In a small 
physician practice, often the director of human resources, the 
purchasing director, the coding and billing supervisor, the 
technology expert, all of those people reside in one person in 
the form of a physician who really, quite frankly, is far 
better trained to take care of your health needs than they are 
all those other functions.
    If they are really lucky, they may have one manager for 
that office to help with all those same tasks. So those costs 
are essential in the grant programs, and the assistance you 
have outlined in this discussion legislation are most 
appreciated, and I think will be absolutely imperative if we 
are to see success in this.
    Mr. Pallone. Thank you, Doctor.
    Mr. Barton.
    Mr. Barton. Thank you, Mr. Chairman. I am in an unusual 
position in that I am the cosponsor, along with Chairman 
Dingell and Mr. Pallone, of this bill. So I should be all for 
it; I should think it is the greatest thing since sliced bread.
    And I do think it is a good work product, but I am very 
concerned about the issue of privacy. I am the co-chairman, 
along with Mr. Markey, of the Privacy Caucus, so I really want 
as strong a privacy provision as we can have in this bill. So I 
listened very carefully to our last two witnesses, and to Dr. 
Thames earlier when they talked about privacy.
    So I am kind of in an unusual position of defending the 
product, but yet still wanting to improve it if possible. So my 
first question would be to you, Dr. Thames. Does AARP object if 
we were to put a definition of privacy into the base bill? We 
don't have a definition now. And I think Dr. Peel makes a 
fairly good argument that we should at least have some 
definition.
    Dr. Thames. I think we would definitely be in favor of your 
trying to get a definition. What we would, I think--what we are 
concerned about with privacy from an AARP standpoint is that we 
don't want to have to choose between privacy and HIT--we want 
both--and that we feel that relying solely on consent puts an 
unfair burden on the consumer and overlooks the importance of 
having the systems and rules and processes to protect the 
personal health information. And those are the kinds of things 
that we note with pleasure are in your draft legislation.
    So we would look with favor on getting this, but we know 
that in addition to what is in there in your draft, we are 
going to have some regulations to make this work. And we don't 
want to see the bill held up until Congress can decide together 
what are the right regulations, because they haven't been able 
to do it in the last 4 years.
    Mr. Barton. I agree with what you just said, but there is 
no reason we couldn't do both, is there?
    Dr. Thames. No, sir, not as far as we are concerned. There 
is no reason why we cannot do both unless we fail to work in a 
bipartisan manner like this committee has done so well up to 
now, sir.
    Mr. Barton. OK.
    Dr. Peel, some of the opponents of your position on strong 
individual privacy protection say if we were to go down the 
trail that you advocate, we set up a scenario where we give at 
some future time a private right of action to sue. What is your 
evaluation of that?
    Dr. Peel. As far as I know, we have a private right of 
action to sue for breaches of privacy in all 50 States right 
now. We are not so interested in exactly what the penalties are 
for breach of privacy. We are not interested in arguing about 
private right of action.
    I would just like to point out again that consent is very 
feasible, because we now have technology where you can get 
consent instantaneously. You can set up broad directives. With 
technology you could exquisitely decide what gets sent to whom 
and when, down to the data field. There is smart technology to 
make consent cheap, easy, and fast and provide audit trails.
    So technology--what we are saying is, we want health IT, we 
want progress with privacy. There is no reason to make a 
choice. And, frankly, if this draft--if we had this system that 
is in this draft in effect over the last few decades, two of 
the most popular presidents in this country, Reagan and 
Kennedy, their health records would have been available across 
the Internet and they never would have been elected if anyone 
had understood President Reagan's risk of Alzheimer's disease 
or how sick Jack Kennedy was with Addison's disease.
    Mr. Barton. Dr. McGraw, I read your written testimony when 
you talked about the need for institutional safeguards. Do you 
agree or disagree that we could do the institutional part of it 
and have some sort of an individual consent requirement?
    Ms. McGraw. We need to do the institutional part of it, and 
we do think there is an appropriate role for patient consent. 
It is actually part of fair information practices, and the 
notion of individual control.
    What we disagree with is pinning the privacy and security 
of the system on patient consent because, in fact, we think 
that patient consent actually provides weak privacy 
protections. And I can go into more detail about why I think 
that.
    But at any rate, if you have--the thing with individual 
consent, if you are combining it with the institutional 
protections and you are asking folks for their information--I 
haven't seen a proposal on the table that looks like that, but 
my sense is that we would focus on whether those institutional 
protections are there because in our opinion that is what 
protects privacy and security.
    Mr. Barton. My time has expired, Mr. Chairman. This is 
something I want to pursue with the stakeholders and also with 
the members before we go to markup.
    Thank you for your courtesy.
    Mr. Pallone. Thank you.
    Let me ask unanimous consent to enter into the record a 
series of statements that have been looked at by both the 
minority and the majority including the statements from the 
Divided We Fail Coalition, the Business Roundtable, eHealth 
Initiative, Consumer Partnership for e-Health, Health Care 
Leadership Council, the Oregon Institute of Technology, and the 
Federal Trade Commission.
    Without objection, so ordered.
    [The information appears at the conclusion of the hearing.]
    Mr. Pallone. And next for questioning is the gentlewoman 
from California, Ms. Eshoo.
    Ms. Eshoo. In the draft discussion, in subtitle (a) in the 
security provisions, there is a notification in the case of 
breach. And it goes through to identify that if a breach--if 
there is a breach of the unauthorized use of information, it 
could reasonably result in substantial harm, embarrassment, 
inconvenience, or unfairness to the individual.
    Any of the panelists, in taking a look at that language, it 
strikes me as being a low threshold for notification. This is 
notification if there is a breach of security.
    Does anyone want to weigh in on that? Again, it strikes me 
as being a low threshold; and I don't know if this were ever 
challenged in a court--``embarrassment, inconvenience, or 
unfairness,'' that is an unusual standard.
    Dr. Peel. I may be wrong, but I think that might come from 
California's breach notice.
    Ms. Eshoo. I don't think so, no.
    Ms. Dare. If I might, Congresswoman, we echo your concern 
that the language is at least unclear and the standard unclear. 
We think information that speaks more to significant harm, risk 
of medical fraud, identity theft, unlawful conduct, gives 
everybody a more succinct and consistently applied standard.
    Ms. Eshoo. Mr. Ferguson had his hand up.
    Mr. Ferguson. I would like to add and agree that we think 
the California law is a lot clearer as to when you have to 
notify . And we follow the California breach notification in 
all of our locations across the country.
    We also think, though, that the breach notification 
provisions should be the same for all personal health databases 
regardless of whether they are held by PHR vendors or by 
covered entities.
    Dr. Peel. I just remembered, that language is from OMB. I 
knew I had seen it somewhere.
    Ms. Eshoo. I didn't think it was California. That is 
helpful, what each one has said, and I think the committee 
staff is going to have to take note of that in the draft 
discussion.
    On the issue of safe harbor that was mentioned by Ms. 
McGraw, I think the committee bill should allow safe harbor to 
apply to both PHRs and covered entities, and I wondered if you 
might add on that.
    Ms. McGraw. Sure. We agree with you.
    There are two slightly different standards with respect to 
a breach that occurs with a PHR versus in the traditional 
health care context. You know, the California data breach law 
that was mentioned, essentially the trigger for notification is 
whether or not the information was encrypted or not. So without 
having to go through--will this person be embarrassed by this 
information, because I do think you need to actually have a 
different threshold than you do for financial data. The amount 
of money in your bank account is a completely different piece 
of information about you than the fact that you last week had 
to take an STD test. So it has to be a different trigger, and 
it is hard to get to that trigger.
    So you mentioned a low-threshold issue, but the encryption, 
if for no other reason than it actually provides an incentive 
for organizations that hold data to encrypt it--and Ms. Dare 
mentioned not encryption, but something else--I think be 
willing to think about whether we want to lock ourselves into a 
particular form of technology. But I still think it is a good 
idea to build those incentives in by creating a safe harbor or 
rebuttable presumption.
    Ms. Eshoo. Thank you. I appreciate that.
    In the discussion draft it requires notification of 
individuals whose health information has been breached or 
wrongfully disclosed, but the draft specifies that the notice 
be provided in writing by First-Class Mail; and I think that 
this is a real irony because we are talking about HIT, because 
it seems to me that the central purpose of health information 
technology legislation is to move away from what that says.
    Everybody is smiling. We all get it.
    Does anyone think that snail mail should be the default 
method of communication in cases of a data breach?
    Dr. Stack. It may be sufficient to say, I think there would 
be consensus that it is a little archaic.
    Ms. Eshoo. I will take that. I think those are my questions 
for now, Mr. Chairman. And did you already stipulate that we 
can submit questions?
    Mr. Pallone. If you want to ask questions, absolutely any 
member who would like to submit questions for the record.
    Ms. Eshoo. Thank you very much everyone. I think this has 
been enlightening; and I think that there are obviously some 
areas where we are going to be changing the draft based on some 
of the things that have been brought up today, which is what 
this hearing is terrific for. So thank you.
    Mr. Pallone. Thank you.
    Next is the gentleman from Texas, Dr. Burgess, for 
questions.
    Mr. Burgess. Thank you very much, Mr. Chairman. Thank you.
    Ms. Dare, let me welcome you from Richardson, Texas. It is 
always good to have a Texan on the panel; that way I know it is 
going to be fair.
    Let me just ask you if this bill were to suddenly be on the 
President's desk and signed, how would your life change at 
Cisco Systems? What would be different? What are the things 
that are embodied in this legislation that would make things 
better for you and what are the things that would make things 
worse?
    Ms. Dare. Thank you for that question. It is a very broad 
one, and I always start to consider both Cisco as an employer 
and the employees for whom we care passionately about health 
care, as well as our technology perspective.
    I would say from the technology perspective, most 
initially, we would hope the bill would accelerate the 
development of the regional health information exchange 
networks and that we would see much better connectivity and 
collaboration across the continuum of care, whatever the 
organizational body might be.
    Mr. Burgess. Can I ask you a question on that? Under 
development right now, even without any Federal legislation, 
are there not companies out there who are working on those 
issues of interoperability, how to get one system to talk to 
another? Is that work not ongoing at the present time?
    Ms. Dare. It is, and I would add, as well, the most 
meaningful piece of that work really comes together in the four 
pilot projects that the Federal Government has helped sponsor 
and fund where you really bring together--and they are each 
different and use different technology approaches--but where 
they are, in fact, proving today that across different 
communities, using different technology approaches, you can 
share health information technology effectively and securely.
    It is a huge undertaking. The longest standing, successful 
project of that type is in Indianapolis, and they have been 
doing it a long time and have been successful for some unique 
circumstances. But if we want to see that movement take 
momentum across the country, we think you do need legislation 
like this and you need the sponsorship, the convening role of 
the government, to help bring some of these bodies together.
    We have seen in the last 4 years the work around these sort 
of regional collaboratives accelerate significantly versus the 
8 or so years before that when the work in Indianapolis began. 
In fact, there were significant undertakings in communities 
like Santa Barbara which attempted to do very good work and, in 
fact, struggled and have now disbanded.
    It is an evolving territory, but one we think this bill can 
make a big difference for.
    Mr. Burgess. Like so many other areas, there is a need, 
there is a market for that technology. Technology has already 
been referenced at several points and I suspect a company like 
yours would be anxious to fill that niche and claim that market 
share.
    We talked a little bit about the irony of having the 
notification come through snail mail. Part of the irony of 
having the Federal Government in charge of this type of 
capacity, this type of capability, is we have the system today 
where the VA, under the VistA System, can't communicate with 
the Department of Defense. So the bad stories that came out of 
Walter Reed Hospital 18 months ago largely were generated by 
the fact that, well, guys were on medical hold, their records 
that they were preparing for the VA would get lost and they had 
to rely on paper records because their DoD records could not 
electronically transfer.
    So I am a little suspect of our ability at the Federal 
level to create a system that actually works because I have 
been in communication with the folks in the Department of 
Defense and this has been an ongoing problem for 18 months and 
I don't see us quite there yet. Yet I see efforts in the 
private sector where they recognize the need for this. In our 
neck of the woods, Presbyterian Hospital and Baylor Hospital 
looked at a merger 10 or 15 years ago and couldn't do it 
because they didn't have the interoperability to their computer 
systems.
    So clearly the market exists for that type of capacity. I 
just wonder if we are making a mistake by putting ourselves in 
between what should be a private sector niche to fill and 
saying don't worry about that because we are going to take care 
of it at the Federal level. I have heard that for 5 years since 
I have been here and I don't see us any closer today than we 
were 5 years ago. But maybe I am just being too critical.
    Dr. Stack, I didn't want the time to expire without asking 
you--I think we heard reference to the RAND Corporation study 
about health information technology, the $77 billion we are 
going to save in the year 2015. Of course that study always 
ignores the investment that is made by what you so eloquently 
put in your testimony, the small medical practitioners, the 
small businesses that are out there, and then of course you 
provide some data, the cost for that.
    In the RAND study, if I am correct, they did talk about 
incentives for the health care provider community doctors, that 
those incentives would have to be early, they would have to be 
limited. You didn't want to reward late responders by 
continuing to offer that help well down the road. But the most 
critical thing that is often overlooked is those incentives 
have to be substantial. They have to be substantial for all of 
the reasons that you outlined in your response to Mr. Pallone's 
question, the fact that there is a significant outlay of 
capital in what is generally a fairly capital intense activity 
anyway, which is a running of a small practice. And there is 
the training, there is the ongoing maintenance and then the 
fact that some of us are slow. And it adds minutes to each 
patient encounter. And if you add a few minutes to each patient 
encounter when you have to see 30 to 45 patients a day to make 
the cashflow work, you are suddenly talking about a couple of 
hours added onto the day which are not available for patient 
care, revenue generation, or time with family.
    The other issue on the telephonic aspect of this----
    Mr. Pallone. Mr. Burgess, are you going to ask him a 
question? Because you are a minute over.
    Mr. Burgess. I actually just wanted to thank you for 
bringing that up. And on the RAND Corporation issue about that 
substantial incentive, I hope that you and your friends at the 
AMA will continue to look at that and provide us with real data 
as to just how substantial those incentives must be.
    Mr. Pallone. Do you want to respond?
    Dr. Stack. In the absence of a question, thank you for the 
opportunity to comment additionally. I would like to note that 
I was intentionally silent on the potential and prospective 
cost savings because depending upon what lens you frame that, 
you can find fantastic savings or minimal savings. I think what 
the true value here is--and Secretary Leavitt has commented on 
this--is transparency in the health system. And all these 
issues intertwine in that to a great extent.
    The answer to privacy problems is to hold people 
accountable for proper access and responsible use of 
information. Addressing privacy as the cause when the issue is 
really that health plans--it is inconvenient to take expensive 
beneficiaries because they cost money and increase medical loss 
ratios. Hiding that information, which is necessary to care for 
people, is not the way to address it. The way to address it is 
to find the fundamental issue, which is how the information is 
being used and what is done with it.
    In your instance, having to do with the costs of this, 
having more information in the hands of clinicians and people 
who help to manage this health sector--and it is questionable 
if it is a system at this point and people have made that 
comment already about a health sector. I don't think we know 
the true power that we could have potentially to find 
opportunities for cost savings, quality improvement, safety 
improvement. That is the fantastic promise of health 
information technology and why it is so important to help the 
Federal Government at a high level, broad level, align 
incentives for the private participants in this system but try 
not to delve too low down so that the private sector is stifled 
in its ability to innovate and deliver a better result.
    Mr. Pallone. Thank you.
    Mr. Waxman.
    Mr. Waxman. Thank you very much, Mr. Chairman. Although our 
current Federal health policies provides for criminal and civil 
penalties against those who violate the privacy provisions and 
under the rule the Secretary of Health and Human Services can 
impose civil penalties and he can refer cases to the Justice 
Department to pursue criminal prosecution, the privacy rule has 
now been in effect for half a decade and there have been 30,000 
or so complaints alleging violations reportedly filed with HHS, 
yet I understand there has not been one instance in which HHS 
has imposed a civil penalty for a violation of the rule and the 
Department of Justice has prosecuted only a handful of criminal 
cases regarding the rule.
    This history underscores, it seems to me, the need for 
creating additional enforcement mechanisms to ensure an 
effective Federal and health privacy protection scheme. Toward 
that end, I am interested in exploring the role State attorneys 
general might play in enforcing medical privacy protections. It 
is my understanding that under current law some State AGs may 
have authority to pursue criminal penalties for HIPAA 
violations, depending on the State statute governing the AG's 
authority. But it is less clear that State AGs have authority 
to pursue civil penalties for HIPAA violations.
    Ms. McGraw, is that understanding correct? And what do you 
think we ought to be doing about it.
    Ms. McGraw. Yes, it is my understanding. If you read the 
penalty provisions of HIPAA, they are actually not in the regs. 
They are actually in the statute, and the authority to impose 
the civil monetary penalties is vested in the Secretary through 
the Office of Civil Rights. So arguably one could argue that 
that statutory construct creates exclusive authority to civilly 
enforce the law with the Secretary versus on the criminal side 
it doesn't vest the authority with any particular body and it 
doesn't expressly give the State AGs the right to act, but in 
some States they have with respect to their authorization of 
what their State AGs can do, they could enforce the criminal 
provisions because that piece of the statute is just written 
differently.
    Mr. Waxman. Well, do you think there would be an advantage 
in ensuring clear authority for State attorneys general to 
enforce violations of HIPAA?
    Ms. McGraw. We would endorse that, but we would also 
counsel the Committee to actually look at those statutory 
provisions again. Not so much the criminal authority, because I 
think that that is fairly clear. But when you get to the civil 
penalty piece, we have been disappointed in OCR's lack of 
putting a penalty on anyone to date, even though they have 
found violations of the rule. But the statutory provisions 
themselves are not written in a way that gives them a 
tremendous amount of freedom to actually impose those 
penalties.
    And so I would ask the Committee to take a look at that if 
you are interested in pursuing the enforcement piece, which I 
think you should because you can create all of the right set of 
protections in the world but you don't have a right without a 
remedy. And the remedies are tied to enforcement of the statute 
by our----
    Mr. Waxman. You are raising concerns about the existing law 
and the enforcement by the Secretary under that existing law. I 
was also posing the idea of letting the State agencies enforce 
the law. You think both need to be looked at?
    Ms. McGraw. Yes, I would look at it. Because arguably if 
you give the State AGs the authority, they have to abide by the 
statutory provisions that the OCR has to follow.
    Mr. Waxman. OK. Does anybody else--Dr. Peel, I see you are 
raising your hand.
    Dr. Peel. Yes, I have a couple of comments. I think the 
scheme that you are proposing, where the State attorneys 
general take action, is actually in the Trust Act. But I think 
there is something key missing at the table that we have got to 
talk about, which is that the vast majority of breaches of 
information today are legal under HIPAA. So most of the 
complaints turn out to be uses that are allowed under the 
privacy rule that no one would ever agree with. And because we 
don't have audit trails, people aren't noticed how far their 
information goes, it is difficult to even know who has seen 
your records or for what use because HIPAA allows broad use of 
information if it falls under treatment, payment or health care 
operations.
    So we have no control over our information according to 
HIPAA, And so many of the violations turn out to be not real 
violations under the privacy rule.
    Mr. Waxman. So even though there were 30,000 complaints, 
not all of them would be violations? Even though they are 
enough of a problem that people are complaining about their 
privacy----
    Dr. Peel. Yes. Yes. Yes. People are concerned about privacy 
violations and they want help.
    Mr. Waxman. I would be interested in getting your input and 
suggestions on how we ought to change that law to make sure 
that we make clear that some invasions of privacy that concern 
people should be in violation.
    Dr. Peel. That is why we want you to define privacy and 
reestablish our rights to control where the information goes.
    Mr. Waxman. Thank you. Thank you, Mr. Chairman.
    Mr. Pallone. Thank you, Mr. Waxman.
    Mr. Deal.
    Mr. Deal. Thank you, Mr. Chairman. I apologize to the panel 
for my absence in and out today, but I was handling the 
Community Health Center Reauthorization Act on the floor, and I 
think all of us understand the importance of that piece of 
legislation, which we did pass by voice vote. Unfortunately, 
somebody asked for a recorded vote. So we have to deal with it 
later in the day. But that was the reason I was gone.
    I have listened to my constituents, some of whom have 
expressed some of the same concerns that many of you have 
expressed. But from the provider, the health care providers, 
the doctors' offices, and even some of the companies that have 
tried to put systems in place, there seem to be some concerns 
there and I would like to try to focus in on it and, Ms. Dare, 
I think you may be the one I need to address this to since you 
deal with the equipment and the hardware kind of side of it.
    One of the concerns that many people have expressed is as 
we craft something here, how do we deal with those maybe 
individual physician offices or practices that have already put 
their own systems in place, they already have an electronic 
medical record in place within their practices? When we talk 
about grant money and all of that, many of them get concerned 
about, well, we took the lead, and I have got one firm in my 
hometown invested a million dollars to put theirs in place. You 
know, they are concerned, well, we get left out of this 
process. How do we address making sure that those existing 
systems become interoperable in the exchange of information 
from them and should they be considered eligible for funding to 
make sure that that happens?
    Ms. Dare. Thank you for that very important question. I 
will answer the second part of it first if I might. My 
immediate thought is to say, yes, for some of the Committee to 
taking a system that isn't able to exchange information and 
convert it into one that is. That would seem a perfectly viable 
and appropriate use of the dollars available for investment in 
IT systems. I don't think we want to punish the first movers 
unduly and some of those systems were put in place before 
interoperability and exchange of information was readily 
available.
    The second part of your question, that front one hinges to 
a great extent on what kind of systems they have. So those 
electronic medical records--I use that term deliberately--have 
been around in health care for 20, 30 years, not widely used 
obviously. Those older systems predate the Internet or webcon 
activity, right? So depending on the date of the system and how 
it is designed, how you make those Internet-enabled or how you 
provide the right security technologies for them to share 
information appropriately isn't a question easily answered and 
it is almost a case-by-case situation.
    Mr. Deal. The more I have talked to people who are in the 
system, the more I am made aware that this is indeed a complex 
issue. It is being dealt with many times in a fragmented 
fashion, but if we are going to craft legislation, the 
legislation I think has to be comprehensive. So let me ask you 
about one of those somewhat fragmented approaches.
    We have people in companies who have approached it from the 
standpoint of the patient, the consumer, and whether it be 
smart cards or whatever you choose to call it, the idea of 
portable medical records that they can carry with them to 
whoever provides their health care. Some concerns that come 
into mind as I talk with my physician friends is, well, how do 
we make sure that every health care provider updates that card? 
That is one question. The other question, how do you deal with 
people who are not thought of in the mainstream such as an 
independent lab who is doing a test? Do we not have to make 
sure that however we craft this, that that inclusiveness brings 
all of these people under that tent or else we either miss 
important pieces of medical information or what we have is 
incomplete for one reason or the other?
    Mr. Ferguson, you probably have more experience from trying 
to deal with those issues than anybody else. Let me ask you if 
you would respond, and I may not have phrased it properly.
    Mr. Ferguson. Thank you for the question. I think that 
having the broad scope of different kinds of entities covered 
in terms of these interoperability specifications clearly is 
very important, and so we would want to look for some way to do 
that. Now, I think that in terms of the modern medicine just 
being so complex that it requires IT, I think really means that 
this has sort of become the cost of doing business. So we think 
that the implementation of the systems really is going to be 
demanded by the marketplace in terms of the higher quality cost 
and computer efficiencies and convenience that are coming being 
really the incentives for the slower adopters.
    Mr. Deal. Can I just ask one quick follow-up? As an 
insurance company, when you get a piece of a medical record, 
let's say from an independent lab that you are paying for under 
your policy, who feeds that information into it? Do you as the 
insurance company do it? Who puts that in the record?
    Mr. Ferguson. Well, the lab results in that particular 
case, they are ordered by the physician and they would then go 
from the electronic medical record system out to the lab and 
then the results come back to the electronic medical record 
system in the hospital that is then vetted into the system, if 
you will, by the physician before it can be released to the 
patient in that particular example. But this is actually a case 
where the portable device based--whether it is on a card or a 
thumb drive, that kind of record system can never be complete 
and up-to-date. So that is one of the reasons why we so 
strongly support these interoperability provisions and 
standards for transporting data as needed to present the 
complete record for patient care.
    Mr. Deal. Thank you. Thank you, Mr. Chairman.
    Mr. Pallone. Thank you, Mr. Deal.
    Next for question, the gentlewoman from Wisconsin, Ms. 
Baldwin.
    Ms. Baldwin. Thank you, Mr. Chairman. Mr. Ferguson, I 
understand that Kaiser Permanente has been very involved in 
promoting health IT interoperability and that you have 
participated in the Certification Commission for Health 
Information Technology. What I would like to do is ask a couple 
of questions about the work of that commission and how it would 
be influenced by the passage of this legislation and the 
Standards Committee that is proposed. But before I do, for 
context, can you give us a brief description of the work that 
the Certification Commission is currently doing?
    Mr. Ferguson. The Certification Commission for Health IT 
has developed certification criteria for ambulatory electronic 
health record systems, for inpatient systems, is currently 
starting work on personal health record systems and also for 
health networks or health information exchange organizations. 
And so in each of these areas, there are provisions under the 
Executive order that is being followed through HHS for these 
certified systems to be used in different contexts.
    Now, I think that one of the things, as I mentioned in my 
testimony, we would look for additional transition 
specifications in the legislation for some of the other 
entities that are involved in that Federal health IT strategy 
that HSS is currently pursuing. So that would include HITSP, 
the standards organization, CCHIT, the certification 
organization, the National Health Information Network, but also 
the advisory committee, NCVHS I think. So all of those 
different kind of entities need some sort of transition into 
the new structure and not really just the policy committee.
    Ms. Baldwin. So can you comment on how you might envision 
the Certification Commission interacting with the HIT Standards 
Committee that is created in the discussion draft before us? 
And also just comment on whether you think it would be serving 
a complementary purpose or are there some duplicative purposes? 
And lastly, to give you a laundry list here, lessons learned 
from the Commission that might be helpful to us in establishing 
the HIT Standards Committee that is in the discussion draft.
    Mr. Ferguson. I don't think there needs to be any 
duplication between the proposed Standards Committee and the 
Certification Commission if it were to retain essentially a 
similar purpose and function to what it does currently because 
the Certification Commission essentially ends up certifying 
systems against the standards that would be endorsed by the 
Standards Committee. So I think it is more of a complementary 
matter rather than duplicative.
    Ms. Baldwin. Any lessons learned that might guide us in 
examining----
    Mr. Ferguson. We found certainly a healthy tension between 
different parts of the electronic health records vendor 
community in terms of being able to move towards the 
interoperability standards quickly, where different segments of 
that vendor community have been able to move toward adoption of 
the interoperability specifications faster than others. I don't 
know if there was some codification of the requirements for 
moving to the interoperability standard, if that would help to 
sort of unify that movement.
    Ms. Baldwin. Thank you.
    Mr. Pallone. Thank you.
    The gentlewoman from North Carolina, Mrs. Myrick.
    Mrs. Myrick. Thank you, Mr. Chairman, and thanks to all of 
you for being here. It has been very helpful. I saw the concept 
of the draft in doing IT. I think it is critically important 
that we do that. They want to establish a permanent government 
office. That at least concerns me. So my question to any of you 
who wish to answer is, do you see after--if this gets up and 
running and is implemented, is there really a need for a 
permanent office? Once the Federal Government has done its job 
of getting it started and everything is working, do we still 
need that office?
    Dr. Peel. The only thing I would add is once the system is 
up and operating, I think there would still always be 
challenges to security and privacy. So we would like to see 
someone really have responsibility for protecting citizens and 
to make sure that these systems really are safe and do what 
they are supposed to do.
    Mrs. Myrick. And I was going to ask that question next, 
relative to what you see the role of preventative breaches. But 
would that only be with regard to the Federal side of it or 
with everybody, with individuals?
    Dr. Peel. Well, the breach problem is enormous, as you 
know, and increasing every year. I think there were 200,000 
breaches in Georgia in the last 3 years, 2 million in 
California. We really have a long way to go to make these 
systems really, really secure. And so--and even industry 
testing has proven they are not secure. There was an industry 
group that studied 850 electronic health record systems over 15 
months and they couldn't find one that couldn't be hacked or 
penetrated. So we have a long way to go for health technology 
to really be safe from hacking.
    So that seems to me it would be critically helped with 
continued coordination and oversight at the Federal level for 
security, as well as privacy, and we know that new threats are 
going to be emerge and it would be good to have some 
coordination and guidance and leadership to make sure that the 
threats are dealt with in a reasonable fashion. Government 
hasn't yet, but that would be a great job for the coordinator.
    Mrs. Myrick. But you still see the role for the States and 
the State IDs?
    Dr. Peel. Oh, yes, absolutely. And that is in the Trust Act 
actually, language like that.
    Mrs. Myrick. OK, thank you. Anyone else? Dr. Stack.
    Dr. Stack. I guess I would look at my LNC reports to the 
Secretary of HSS, I believe. Is that not correct? So I look at 
it in a way that the CEO of the largest purchaser of health 
care in the United States, kind of how that CEO, the Secretary 
of Health and Human Services, would want to manage their staff. 
But I think there is going to be a lot of work for a long time 
to come on HIT and certainly you would want the Federal 
Government and its cooperative through Medicaid with the State 
governments to have a point person who could try to most 
efficiently and intelligently manage that resource. So it is 
hard for me to say it should be permanently there forever. But 
the amount of work to be done is not going to diminish as this 
goes forward.
    Mrs. Myrick. Thank you.
    Yes, Ms. Dare.
    Ms. Dare. If I might add briefly as well to build on Dr. 
Stack's previous comment that we have a health care sector but 
not a national health care system, I think there is huge value 
in someone having that national perspective in trying to bring 
a very fragmented health care sector together under some 
unifying initiatives and a national vision for what HIT can do, 
and I think that is added value for the permanency of that 
office.
    Mrs. Myrick. So that is what should take place in effect? 
OK. Thank you.
    Mr. Pallone. Thank you.
    Mr. Rogers.
    Mr. Rogers. Thank you, Mr. Chairman. To me this is one of 
the most important issues I think we can get bipartisan support 
on soon to unleash a lot of intellectual and real capital on a 
real problem. We have a 2008 delivery system in health care and 
a 1970s administration of health care. And I think this is the 
great way to do it. I do think and I get a little concerned--
and I want to thank Anna Eshoo, by the way, before we get 
started. We have worked on the bill for about 3 years. And it 
is bipartisan, bicameral. I see a lot of it is in this product 
and I hope that we can work together to work out some of the 
things that we have encountered in the process of putting that 
bill together. And both our staffs did a great job.
    The notion between security and privacy, they are very 
different problems, very different problems. And I think if we 
confuse them, we will do more harm than we will ever do good 
and we will stop the whole benefit of what health IT can bring 
to be more efficient and really save lives in health care. We 
have systems in Michigan that have already reported internally 
huge amounts of lives saved and money as a result because of 
medical errors that never happened that had happened before 
under the old systems.
    And so I want to direct this to Dr. Peel, because I love 
your passion for your issue. But one of the things on your Web 
site struck me and it said, and I quote, the greatest use of 
your health care records today is to hurt you, not to help you. 
Do you believe that?
    Dr. Peel. I do, And I will a tell you why. We don't even 
understand how far information goes. In fact, I hope this 
committee and Congress will investigate how far data flows. 
This is the tip of the iceberg. For example, prescription data 
mining and sale. You know, I talked about that one company that 
is on the stock exchange that got $2 billion in 2006. We don't 
even know how many prescription data mining companies there 
are. We can't figure it out. And we learn things every day 
about new places where information is being collected and used 
that people would never imagine. Transcription businesses, 
where they will--many of them are offshored. It turns out when 
they get that data, they turn around because they can under 
HIPAA and they sell the data. Everyone that touches the data--
--
    Mr. Rogers. Let me ask you this, then.
    Dr. Peel. Everyone that touches the data potentially sells 
it and many of the electronic----
    Mr. Rogers. I hear you, Doctor. But don't you think it 
would be better to fix HIPAA than lay a whole other system of 
privacy over HIPAA?
    Dr. Peel. It doesn't matter to us where we put the fix. We 
just need the fix.
    Mr. Rogers. That is progress right there. So to say that 
you would be willing to do that----
    Dr. Peel. You are better at figuring out where and how this 
should be fixed than we are.
    Mr. Rogers. I wouldn't say that or we would have an HIT 
bill already. But I do appreciate that and your willingness to 
try to work with us because that is a very important point to 
me. If we lay another privacy layer over HIPAA, you might as 
well forget any savings, any interoperability. It is just not 
going to happen. And I think that would be a tragedy, an 
absolute tragedy if we don't come together soon on putting 
together some kind of health information technology bill that 
allows--but privacy--by expanding HIPAA, I am there. Nobody 
wants their records out there.
    Dr. Peel. OK.
    Mr. Rogers. But when you can make sure that we can save 
lives through medical errors to the tune of--I think it is 
79,000 people a year through medical errors in the United 
States of America, that is a tragedy. And I don't want to have 
our arguments and debates about the difference between privacy 
and security stop the saving of 79,000 people who we know the 
private sector can help us save. And that is my concern about 
how much effort we are spending here without the true 
explanation of how much good a health IT bill can do for 
thousands and thousands of Americans.
    And this consent provision I have to tell you worries me a 
little bit. And I agree, that is why we put a provision in to 
extend HIPAA to vendors of plans. And I know you don't like it, 
but I would argue that you should help us try to fix HIPAA 
versus try to create some confusion on what is a bill we know 
will save lives and save money.
    Dr. Peel. I would love to help you fix HIPAA. I agree with 
you completely. And your point about lives being saved with 
electronic medical records, I completely agree. But you have 
also got to understand, as I was talking about, millions of 
people won't come into my office, won't cross the threshold and 
get help unless they believe that their information is really 
safe and only stays with the people that they want to see it. 
And so there are lots of lives lost. People with delayed 
treatment for cancer, particularly in my field, people with 
mental illness. And I didn't even get to talk about the RAND 
study that showed 150,000 Iraqi vets with PTSD, post traumatic 
stress disorder, are afraid to get treatment because of privacy 
concerns. And soldiers know that their treatment and records 
are not private. I mean, this is a crime. This is unnecessary 
that these needy people that have sacrificed for us don't feel 
safe getting treatment because they don't want their futures 
jeopardized.
    Mr. Rogers. And I understand. And I understand your passion 
for it. But we need to make sure that emotion doesn't drive the 
reality of how we can fix that problem.
    Dr. Peel. It is very fixable with technology.
    Mr. Rogers. I absolutely agree. And I think the pretty 
strong rhetoric on your Web site--now, you say you believe it. 
I find that very hard to believe that people believe their 
medical records are there to hurt them. And the consent 
provision that you advocate for that worries me most is that we 
don't want to have to get consent from a doctor walking to a 
nurse or better yet a doctor picking up the phone and saying, I 
have this case, doctor friend of mine, that I am not sure I 
understand, I would like you to walk through it. That is called 
good medical care, I think.
    Dr. Peel. It is not needed for that. I am a practicing 
physician----
    Mr. Pallone. The two of you are arguing. Let me just stop a 
minute.
    Mr. Rogers. This is important, Mr. Chairman.
    Mr. Pallone. I understand.
    Mr. Rogers. I want to finish by saying that it is important 
and rhetoric is important in this debate. And let us all come 
together to understand if we can work this out without the 
harsh rhetoric, we will get a bill that will save lots of lives 
and engage the private sector.
    Mr. Pallone. I think that is a nice conclusion.
    Let me move to the gentleman from Texas, Mr. Gonzalez.
    Mr. Gonzalez. Thank you very much, Mr. Chairman. And thank 
you very much, and members of the committee and the ranking 
member, for allowing me to participate since I am not a formal 
member of the subcommittee. Nevertheless, there are many of us 
that are interested in this particular subject. Many of us have 
bills out there already floating around. You heard Mr. Rogers, 
I've got mine and everybody else has one out there. And I guess 
the way to describe it is I think we have--everybody is ready 
to dance but the bandleader hasn't started the music. So I am 
hoping that Chairman Pallone may be that band leader and this 
is the particular vehicle to start that music so that we can 
all get along with the project and with the challenges that 
face us.
    The debate that we are having here--and this is what 
concerns me. I am going to agree with Mr. Rogers here--is that 
when we go into HIT let us not open the debate to everything 
else out there and try to fix any and all problems that we have 
out there that exist only because the medium may be different, 
paper records and so on. I don't think that is going to happen. 
I think it is an opportunity to address shortcomings and if we 
can, we will. But this may be the committee to actually 
understand it better than any other committee. We have 
jurisdiction over telecommunications, we understand the 
industry, we understand the technology. We have individuals 
also, as Mr. Waxman and Mr. Markey, that are very, very 
dedicated to the proposition of privacy. And, of course, we 
have Mr. Pallone on the health end of it. So let us not waste 
this tremendous opportunity.
    The other thing is, we are talking about we need consumer 
confidence before maybe we can get this off the ground. Maybe, 
maybe not. Because I think--I am going to go on the record in a 
minute and ask Dr. Peel how she feels about what is going on 
out there where I think consumers are expressing some 
confidence by utilizing services that are out there presently 
that are not being offered by the government or the doctors. 
But the biggest impediment and my greatest concern is the 
medical profession--and this is to Dr. Stack. The greatest 
impediments would be, one, the cost. And we hear all we have 
are grants. But please understand there are other people that 
are thinking in terms of the Medicare incentives, that are 
considering the loans, that are considering the tax incentives. 
There is a reason they are not in this bill for very, very, 
very good reasons. But we understand we need to expand that 
particular universe.
    The other thing is this market uncertainty. I think Ms. 
Dare described it that way. Every doctor I talk to says 
Charlie, if we are going to invest that kind of money, we don't 
want this thing to be obsolete next year. We want it to be the 
total interoperability aspect of it. We have all these 
challenges. What scares me of course is we do get sidetracked 
with trying to fix every ailment when it comes to privacy and 
security and, no doubt, electronic medium does increase the 
risk. I give you that, Dr. Peel. But we have individuals out 
there. We have an individual from Verizon here. Their CEO is 
chair of the Business Roundtable on Health and Retirement that 
have embraced this concept already. We have got Google out 
there that is providing--and I do want to get to my question 
now. But hopefully this will preface where I am coming from. 
Google now offers personal health records on the Web. It is all 
totally in control of the individual. And they had this out of 
the Cleveland clinic, it was oversubscribed in SOAH. The Google 
record he said allows the user to send personal information at 
the individual's discretion into the clinic record or to pull 
information from the clinic records into the Google personal 
file.
    Now, remember, this is all motivated, generated, and 
controlled by the consumer, which is good, which pretty well 
tells me that they have some sense of security and confidence 
in some system that is out there that probably allows less than 
what we are providing under this particular piece of 
legislation.
    In the Cleveland trial--and I am reading this from the New 
York Times article--patients apparently did not shun the Google 
health records because of qualms that their personal health 
information might not be secure if held by a large technology 
company. Now, what information is shared with doctors, clinics, 
or pharmacies is controlled by the individual. We have 15, 
1,600 people. We are going to have a lot more people--you watch 
what happens with what Google is offering out there.
    So, Dr. Peel, I am just curious, why would so many people 
be willing to subscribe to this service? They see the value of 
it. The clinics, the practitioners see the value of it. If they 
had such concerns that they are just letting this information 
out there into cyberspace, that it may be shared by millions 
and millions of curious people?
    Dr. Peel. I would love to answer that. First of all, I 
think part of the reason people are willing to use the Google 
system is they strongly promise privacy. They strongly promise 
to control what happens to your records. Now, as you can 
already tell, we are suspicious. Maybe that is true. Maybe that 
is true. But I think it is the promise of control that they 
feel will help to drive acceptance. And let me just point out I 
know a little bit more about the Microsoft health vault system 
because Microsoft's business model for the health vault system 
is to adhere to all of the 11 privacy principles that our 
bipartisan Coalition for Patient Privacy suggested be put into 
health IT legislation. Microsoft feels that that is the model 
that is going to drive adoption of health technology, is really 
empowering the patient to control where the data goes. And 
going further than that, Microsoft----
    Mr. Pallone. We are a minute over.
    Dr. Peel. I am sorry.
    Mr. Gonzalez. And I apologize, Mr. Chairman. Ms. Peel, we 
can follow up this conversation in the future and I would 
appreciate it. Thank you very much for your indulgence, Mr. 
Chairman.
    Mr. Pallone. Sure. Mr. Markey.
    Mr. Markey. Thank you, Mr. Chairman, very much. And 
congratulations on your work and Mr. Dingell's and Mr. Barton's 
and Mr. Deal's on this bill. And I also want to thank Mr. 
Barton for mentioning the fact that he and I founded the 
bipartisan Privacy Caucus about 10 years ago and we have teamed 
up on adding privacy provisions to just about every bill that 
has come through here over that 10-year period and I am looking 
forward to doing the same thing here because I do think we have 
a privacy crisis in the country and it would be a tragedy if we 
didn't build the privacy principles into this bill. I love 
Google, I love Microsoft, and I love all the high-tech firms in 
my district. And if any of them want to provide high quality 
privacy, God bless you. And why would they object then to 
having a law that said that everyone else had to provide it, 
too? And I think that is how we have to view it. We will take 
whatever the standard is to Google users or whoever and we will 
say, good, we will mandate that, then. Huh? Do you have a 
problem with that? I don't think they will say they will, to be 
honest with you. I don't think the problem is with the 
technology companies. I think the technology companies will do 
this in a second. I think the problem is the insurance 
companies, it is these big HMOs. That is where the problem is. 
OK? It is not a technological issue. This can be done. It can 
be done quite simply. It can be done for a relatively low cost 
and all the high tech firms will move in and solve the problem. 
The problem is that the insurance firms and the other firms 
want to make money off of our privacy, they want to make money 
off of our medical secrets. They want to market our medical 
secrets to other companies and make dough off of it. OK?
    So that is our challenge. It is not a technological 
challenge at all. It is a challenge of whether or not we are 
going to say to every family in America when you hand over your 
medical records, they are protected unless you want to give up 
the privacy. And if you don't, then forget it. But what the 
hell, if you have got a broken wrist, what the hell do your 
psychiatric records have to do with this? Should they gain 
access to every single medical record you have if you are going 
in for a broken wrist? I don't think so.
    So, I have always said it and I will say it again, I will 
give my right arm to get privacy into the HIT bill and here is 
where I am right now. So, Dr. Peel, in your testimony, you have 
noted that as a practicing psychiatrist some of your patients 
have suffered significant consequences as a result of privacy 
breaches. What specific security and privacy protections in 
health IT systems do you think would make it less likely for 
such breaches to occur?
    Dr. Peel. Well, we think we need state of the art security. 
And in terms of privacy, a bipartisan coalition came up with 11 
basic privacy principles, which were really frankly in the 
amendment you proposed to H.R. 4157 in 2006. That basically 
incorporated all the kinds of protections we wanted. And we 
thank you very much for the Trust Act, which once again 
incorporates even more than the basic principles that were in 
your amendment to H.R. 4157. These we really believe--consumers 
really believe are what it is going to take for trust in this 
kind of a system and environment.
    Mr. Markey. Thank you. And by the way, right now I have 
already got game one of the Celtics versus the Lakers TiVoed on 
my TV set. I mean, how complicated this is with modern 
technology. You can get it all set 3 days in advance. This is a 
simple thing to say protect this person's privacy. OK? They 
haven't given us permission to send it to anyone else. It takes 
10 seconds to get it done.
    Question number two. As you know, in 2005, California State 
regulators fined a division of Kaiser Permanente for exposing 
on the Internet the confidential health records of about 150 of 
its patients for as long as 4 years. At the time, the director 
of the California State agency that levied the fine, the 
Department of Managed Care, said, quote, not only was this a 
grave security breach, Kaiser did not actively work to protect 
patients until after they had been caught. We are imposing this 
fine because we consider this act to be irresponsible and 
negligent at the expense--at the time--at the expense of the 
member's privacy and peace of mind. At the time, the $200,000 
fine was the largest the State of California had ever imposed 
on a health insurer for a breach of patient confidentiality.
    This privacy breach occurred as Kaiser was in the early 
stages of the creation of KP Health Connect. It is the 
electronic medical records system that you referenced in your 
testimony, Mr. Ferguson. Has Kaiser had a breach of its 
patients' personal information since the 2005 breach?
    Mr. Ferguson. Thank you for the question. I don't know of 
any breach.
    Mr. Markey. So you are saying they have not had any 
breaches since then?
    Mr. Ferguson. I don't know of any.
    Mr. Markey. But you should know. Don't you think you should 
know? That is the point. That is the point. We need to have 
security mandated. What specific privacy and security 
safeguards has Kaiser implemented since the breach to ensure 
that it doesn't happen again?
    Mr. Ferguson. We have had a very extensive security program 
in the--implemented through the IT area, including a large 
program of encryption, including encryption of laptops and 
endpoint devices. So we have taken this very seriously.
    Mr. Markey. So would you mind if we built mandatory privacy 
regulations into this health IT bill? Would you mind at Kaiser?
    Mr. Ferguson. I think this is a complex area.
    Mr. Markey. But we need strong privacy laws to accompany 
this, yes or no? I am going to ask the question. Yes or no, 
should this law as we are passing have strong privacy laws? And 
it will start down here. Yes or no? Yes, or no, privacy should 
be included in the health IT bill, strong privacy protections?
    Dr. Stack. Appropriate rules, yes.
    Mr. Markey. Yes. OK. Yes, sir.
    Dr. Thames. Same answer. Appropriate rules, yes.
    Mr. Markey. OK. Yes, ma'am. Privacy in this bill----
    Ms. Dare. Appropriate rules, yes.
    Mr. Markey. Appropriate rules. What does appropriate mean?
    Mr. Pallone. Mr. Markey, you can keep going with the panel, 
but you are a minute over. So let them just finish and then we 
will move on.
    Mr. Reed. I would say we should have Federal rules in the 
bill.
    Mr. Markey. OK. Federal rules. Yes, sir.
    Mr. Ferguson. Appropriate and consistent rules.
    Dr. Peel. Yes, appropriate and consistent rules based on 
medical ethics and the history of law in this country.
    Mr. Markey. Thank you.
    Ms. McGraw. I was going to say ditto, but I don't think I 
can. Yes, appropriate rules, absolutely.
    Mr. Markey. Thank you, Mr. Chairman. I appreciate your 
indulgence.
    Mr. Pallone. You are welcome. Then we are all done. Listen, 
thank you all very much for being here. We appreciate your 
input. It was very helpful in terms of moving forward with this 
discussion draft. And we appreciate your being here.
    Next panel, if you would come forward, please. I should 
mention, as I think I did before, that we may give you some 
questions to answer within the next 10 days in writing. The 
second panel, please come forward. Let me welcome our second 
panel, which I understand consists of one witness, which is Dr. 
Carolyn M. Clancy, who is Director of the Agency for Healthcare 
Research and Quality of the Department of Health and Human 
Services. My understanding is that Susan D. McAndrew--Ms. 
McAndrew is here to assist you with questions, but not give an 
opening statement. Ms. McAndrew is Deputy Director for Health 
Information Privacy of the Office for Civil Rights at the 
Department of Health and Human Services.
    And I think you know the rules: 5-minute opening statement, 
they become a part of the record, and we may ask you additional 
questions to follow up in writing. So thank you, Dr. Clancy. If 
you would begin.
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    Dr. Clancy. Thank you, Chairman Pallone, Ranking Member 
Deal and members of the subcommittee. Good afternoon. I am Dr. 
Carolyn Clancy, Director of the Agency for Healthcare Research 
and Quality and Operating Division of HSS, otherwise known as 
AHRQ. And you just introduced Ms. McAndrew for me. And I ask 
that our written statement be made part of the official record.
    Health IT, as you have been hearing from the first panel, 
is a critically important tool to improve the quality, safety 
and value of health care. Health IT can help save lives by 
identifying certain medical errors in realtime, improve quality 
and efficiency, give health care professionals more advanced 
decisionmaking tools, and provide individuals with new ways to 
participate in their care or the care of their loved ones.
    To that end, AHRQ has invested $260 million since 2004 to 
support and stimulate investment in health IT. This translates 
to almost 200 projects in 48 States. And at the direction of 
Congress, we have committed a significant proportion of that to 
rural and underserved settings. However, hardware and software 
in every health care facility in America alone will not improve 
quality, safety and value. We need a network that allows for 
the safe and secure sharing of information in realtime, 
standards that make the sharing of that information possible, 
and widespread adoption of health IT by health care providers.
    So the catalyst for the creation of the networking 
standards is the Office of the National Coordinator for Health 
IT, fondly known as ONC. ONC works to promote the adoption of 
health IT in American health care. So the analogy here--now 
that the woman from Verizon has left--is, if everyone had a 
cell phone but there were no network to plug into, it would be 
a limited utility. So as you know, health IT has been one of 
Secretary Leavitt's highest priorities since he took office. 
His central focus is the adoption and use of standards that 
allow for the efficient, confidential and timely movement of 
data and information through the health IT network. He has 
always maintained that the best way to do this is through a 
deliberative, transparent and inclusive process that combines 
the power of government with private sector resources and 
innovation.
    So in 2005, Secretary Leavitt chartered the American Health 
Information Community, or AHIC, to make recommendations on how 
to accelerate the development and adoption of interoperable 
health IT. The AHIC has been an overwhelming success to date. 
It has provided the venue to set priorities and advance other 
meaningful recommendations to realize the adoption of 
standards, to enable interoperable health IT. As an advisory 
committee, however, the AHIC can take the Nation only so far. 
It can only make recommendations to HHS. It cannot take direct 
action or make decisions that obligate all key stakeholders to 
follow.
    For nearly a year then, the AHIC and HHS have held ongoing 
public discussions regarding the best possible successor to the 
AHIC in the form of a neutral independent body that is not 
controlled, formed by, or required to report to any branch of 
government. Today is the third and final planning meeting for 
the AHIC successor at which groups comprised of consumers, 
physicians, health industry leaders, Federal leaders, and 
technical experts are presenting their recommendations to 
implement a sustainable public-private partnership that 
accelerates and builds on current progress. Our colleague, Dr. 
Rob Kolodner, the National Coordinator for Health IT, is 
representing HSS at that meeting, which is why he couldn't join 
us for today's hearing.
    Let me just say that I have been extremely impressed by how 
many people have stepped forward to volunteer. The new self-
governing AHIC successor, wildly inclusive of all stakeholders, 
will build on the momentum generated by the predecessors and 
Secretary Leavitt. So in a nutshell, the AHIC to date has 
translated 30 years of research on health IT and existing 
standards into tools that improve the quality and safety of 
health care and it has succeeded because of the involvement of 
health industry leaders combined with broad engagement of 
technical experts through working groups. We have made great 
progress in creating common standards, a process known as 
harmonizing. And through Secretary Leavitt's leadership and 
formal recognition, we now have identified many of the most 
important standards that need to be used for interoperable 
health records and personal health records.
    So I would like to close with just three brief observations 
regarding health IT and improvement in health care. The first 
is that health IT is essential to high quality, high value 
health care, but it is not sufficient. In fact--and you heard 
this from the first panel--without attention to work flow and 
processes, health IT can actually speed up mistakes. This was 
seen in an intensive care unit in a children's hospital in 
Pittsburgh where the system was implemented very rapidly. So 
the new electronic system actually exacerbated underlying 
communication and work flow problems. Thankfully these have 
since been corrected.
    The second is that there are huge opportunities for health 
IT to transform health care organizations, those that provide 
care, to contribute to a learning health care system. Health IT 
can actually help clinicians and patients ensure that they have 
got evidence that they need when they are making decisions at 
their finger tips. And it can also enhance much needed language 
between health care delivery and biomedical science.
    And the third point is that clinicians and health care 
organizations providing care to rural and underserved 
communities may need additional assistance to improve health 
care through the effective use of health IT. That has been a 
big focus for the national resource center that AHRQ supports 
and one that is certainly worthy of continued attention.
    So let me close by saying that we look forward to working 
with the Committee on our shared commitment to health IT and 
improved health care in discussing the implications of adopting 
health IT standards and certification criteria through 
rulemaking. Our concern derives from prior statutory 
requirements in environments where standards evolve at a rapid 
pace, and the concern is that the rulemaking has the potential 
to chill progress and prevent interoperability rather than 
promote it.
    So thank you for your time, and I very much look forward to 
your questions.
    [The prepared statement of Dr. Clancy follows:]
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    Mr. Pallone. Thank you, Dr. Clancy. And I will start with 
the questions. In 2006, the President issued an Executive order 
that requires--and I quote--as each agency implements, 
acquires, or upgrades health information technology systems 
used for the direct exchange of health information between 
agencies and with non-Federal entities, it shall utilize where 
available health information technology systems and products 
that meet recognized interoperability standards or standards 
that allow for the electronic communication of health 
information among providers, insurers, and others. In addition, 
it says--and I quote--each agency shall require in contracts or 
agreements with health care providers, health plans, or health 
insurance issuers, that as each provider plan or issuer 
implements, acquires or upgrades health information technology 
systems, it shall utilize where available health information 
technology systems and products that meet recognized 
interoperability standards.
    That is a mouthful. I just wanted to ask you. Can you tell 
us how this Executive order is being currently applied? And 
then I wanted to mention a few other things about who it 
applies to. But how is it being currently applied?
    Dr. Clancy. Sure. Let me give you two pieces of 
information. One, there is a scorecard process. As you might 
imagine, the trick here is for those programs like Veterans 
Affairs that are owned and controlled by the Federal 
Government, it is a different sort of process than the military 
treatment facilities for that matter. They have the direct 
control to make that happen rapidly. When you are talking about 
a contracting process, it takes a little bit more time. There 
is a scorecard process which gets reported to the Office of 
Management and Budget, and we would be happy to provide more 
detailed follow-up information on the status of that scorecard.
    Mr. Pallone. If you would, I would appreciate it.
    Dr. Clancy. The second piece I would add about the 
Executive order is we all see that there is a huge opportunity 
for health IT to support improvements in quality and safety and 
care. Right now. most commercially available products actually 
do not enable you to report on quality electronically. You 
can't just sort of hit F7 and up go the quality measures. But 
that has been a very clear focus of a current AHIC Quality Work 
Group that I co-chair.
    Mr. Pallone. If I could just get a yes or no because I want 
to get to a second question as to where this Executive order 
applies. Does it apply to plans under the Federal employee 
health benefits?
    Dr. Clancy. Yes.
    Mr. Pallone. Does it apply to Medicare fiscal 
intermediaries?
    Dr. Clancy. Yes.
    Mr. Pallone. And does it apply to Medicare Part D plans?
    Dr. Clancy. I believe so, but I would have to follow up 
with you.
    Mr. Pallone. If you would get back to us. And it does it 
apply to Medicare Advantage plans?
    Dr. Clancy. Yes.
    Mr. Pallone. And finally, does it apply to providers 
through the Medicare conditions of participation?
    Dr. Clancy. I don't believe it is framed as a condition of 
participation. It is framed as what we would do under 
contracting mechanisms.
    Mr. Pallone. OK. If you would get back to us in writing on 
the other.
    The second question--you have testified that HHS seeks to 
fully privatize the American Health Information Community, or 
AHIC, which currently exists as a Federal advisory committee to 
find and make recommendations on the future direction for HIT. 
And the private entity is required to be self-sustaining 
financially. So I am fearful, as I mentioned before, it could 
be based on a pay-to-play model. I have concerns with 
maintaining a strong beneficiary and consumer voice and 
ensuring transparency in the process of developing policies and 
standards for the electronic exchange of health information. A 
committee pursuant to the Federal Advisory Committee Act, FACA, 
has transparency and notice requirements that allow for strong 
consumer involvement and transparency. For example, FACA 
requires timely notice of each public meeting through the 
Federal Register. It requires the committee to permit 
interested persons to attend its meetings, to appear before the 
committee and to submit written statements with the committee. 
It requires that detailed minutes be maintained and that all 
committee minutes transferred for board studies and more be 
available for public inspection and copying.
    On the other hand, a fully private entity could settle on a 
pay-to-play model since it has to be financially self-
sustaining. Vendors, employers and others have more money that 
can enable them more votes or a louder voice. It can make 
decisions in a nonpublic meeting without input from all 
interested parties.
    You get the drift of what I am trying to contrast here. So 
I have one issue. Do you disagree with ensuring a strong public 
and consumer voice through these requirements guaranteeing a 
public, open, and transparent process? I mean, what is going to 
happen here if this isn't fully private?
    Dr. Clancy. Sir, Secretary Leavitt believes very strongly 
and has always maintained that the best way to make progress is 
to have a process that engages the most senior decision makers 
in the public and private sectors and brings with that 
representation from all stakeholders that is broadly inclusive. 
I don't think transparency and the notion of broad inclusivity 
has to be limited to a FACA process. I would say that our 
biggest concern is actually loss of momentum from the AHIC that 
is operating now to setting up a new FACA. But I am describing 
for you what our concerns are.
    Mr. Pallone. But do you share my concerns that we might 
enter into this pay-to-play model and not have this 
transparency?
    Dr. Clancy. As envisioned, the AHIC successor won't be 
successful. It won't succeed, and it won't engage the Federal 
Government as a major participant as we are committed to do 
right now unless it does have that kind of representation. And 
I think the big question is how do you build on the momentum 
that exists right now and engage broad participation? That, I 
think, is the real question, and our proposal is this 
succession process which has already been in play for most of 
the past year.
    Mr. Pallone. But you really haven't addressed my concerns. 
How are you going to address those?
    Dr. Clancy. It is going to need to be a requirement, and I 
think the Federal Government will have to make their condition 
of engagement with this activity contingent on making sure the 
consumers are heard from. That has been a very, very high 
priority for us; how to get to a sustainable business model is 
an interesting question. But I think that we are committed to 
paying our fair share as part of that business model moving 
forward. I don't think I have seen a number of multi-
stakeholder collaborative processes where they do have 
transparency, where they do let people know about meetings and 
so forth. So I don't think that has to necessarily come under a 
FACA.
    Mr. Pallone. So you would try to build those provisions in?
    Dr. Clancy. Yes.
    Mr. Pallone. OK. Thank you.
    Mr. Deal.
    Mr. Deal. As I understand it, you believe that a public/
private partnership is preferable as to a successor to AHIC 
rather than the formulation set forth in this draft 
legislation; is that correct?
    Dr. Clancy. Yes.
    Mr. Deal. Would you elaborate on why you think that is 
preferable?
    Dr. Clancy. I think the one concern is loss of momentum. 
This succession process has been in place, got started almost a 
year ago, and for the past 4 months or so what we have put in 
motion through a convening process is a grant to the Engelberg 
Center at the Brookings Institution working with another 
contractor in McLean, Virginia, LMI, to put in place a very 
elaborate planning process. They have engaged very senior 
leaders in health care, physicians, hospitals, health care 
organizations and so forth, as well as very broad 
representation from stakeholders. And I have been enormously 
impressed by every place that I speak or interact with folks 
that are in health care how many people are engaged in very 
much following this process. So that level of engagement, I 
think, is going to be necessary to make this enterprise move 
forward in a way that we all want.
    So I would be worried about loss of momentum, and as I said 
to the Chairman, I don't think that transparency and a strategy 
that assures that ability to pay is not the condition for 
participation has to be limited to a FACA, so that would be our 
concern.
    The last comment I would make is through our work with the 
AHIC and work groups and so forth, I have been enormously 
impressed by how many people have stepped forward in a 
voluntary way through the work group process. And I have also 
been impressed that to make progress, you need to bring 
together people who are users; that is to say who are affected, 
whether it is clinicians putting this in their practices, or 
their patients worried about what happens to my information. 
You need people who understand policy, and you need people who 
really understand the technical details, the kinds of details 
that we all want to say, give me the bottom line here. But they 
are incredibly important, and what you need is a process that 
can actually pull all that together, and then you need 
decisionmakers who say, OK, we are going to move with this. And 
Secretary Leavitt believes that the sustainability of a public/
private process that is docked in the private sector is most 
likely to succeed.
    Mr. Deal. In other words, if we ingrain it in statute, we 
lose a lot of the flexibility and ability to adapt the 
standards maybe as they should be altered or changed in the 
future?
    Dr. Clancy. That is one concern, yes. The second is that 
the appointments process inevitably has some risk of 
politicization, a word I can't say very easily.
    Mr. Deal. As I understand from your background, there is a 
lot to be gained through electronic medical records in the 
ability to assess overall treatment modules that are used in 
the health care system, the effectiveness of tests, the 
effectiveness of various procedures. Would you elaborate on 
that? Because that is a little bit out of the realm of what we 
have talked about up to this point.
    Dr. Clancy. Sure. So everyday in health care in the paper 
world, clinicians and patients make decisions together, and it 
is sort of scribbled down on paper, and we don't get to learn 
very much. We don't get to learn very much about the off-label 
use of medications. For example, a report that we sponsored 
found that that happens about 20 percent of the time, often 
very appropriate, it is legal. And there is a lot to learn 
because when clinicians and patients come to a problem where 
they don't have any good answers, and they try something new, 
it would be great to learn from that, and we don't have a way 
to do that.
    If you have interoperable records, you have a strategy to 
be able to learn that. Similarly, you have a strategy where 
right now if I am seeing patients, and I have a patient who 
might benefit from being in a clinical trial, I have to think, 
clinical trial, and type in to get to a Web site at NIH, which 
is a wonderful resource. That could actually be linked with an 
electronic health record, which already pops up for me the 
information about which clinical trials the patient is eligible 
for and so forth. And it becomes the platform to give 
clinicians information in the same way that Amazon does.
    You know, when I logged on to Amazon not too long ago, they 
let me know that Bruce Springsteen, who I like, had a new CD 
out, and thankfully did not give me any information about 
Britney Spears. And so technologically we know how to do that.
    The big opportunity for my agencies and others working 
together, and we are working on this, is to distill knowledge 
so it, too, can be built into electronic health records, which 
means that effectively we can shorten the way-too-long time 
frame we have to translate research findings into practice. 
That, I think, is going to be a part of the huge promise that 
you were hearing about in the first panel.
    Mr. Deal. Thank you, Mr. Chairman.
    Mr. Pallone. Thank you, Mr. Deal.
    The gentleman from Texas. Mr. Gonzalez.
    Mr. Gonzalez. Thank you very much, and welcome, Dr. Clancy. 
And I am not sure that you covered it in your statement. Does 
HHS have a pilot or demonstration project out there right now 
that will soon be taking effect? I know that I think you are 
soliciting for participants. I try to get some doctors out of 
San Antonio, but I think you required a limit of 200 physicians 
to basically form--I'm not real sure. Are you familiar with 
what I am making reference?
    Dr. Clancy. We have an EHR, electronic health record, 
demonstration program that CMS is sponsoring, which is actually 
going to be giving physicians incentives to adopt health IT, 
and then in subsequent years those incentives will be linked to 
achieving certain quality goals. I am not sure that is what you 
mean.
    Mr. Gonzalez. My understanding was, again, a demonstration 
or pilot project. The only thing I was concerned about is you 
didn't have that many qualified applicants, or you didn't even 
have that kind of response, because the conditions, as I 
understood them, and maybe I will just follow up when I get 
more information, but I know I couldn't get my medical society 
and the number of doctors to really come together because the 
numbers were so great, and then only half of these doctors 
would be eligible for any of the incentives, and then the other 
half would not, which was a rather curious way of doing it.
    My concern is that when we have CMS going out with pilot 
demonstration projects, then what you glean from that sometimes 
determines which direction we take, and so the quality of the 
demonstration process determines the quality of the product. 
And I hate to say that you all have not been real successful in 
some of those things, whether it is the medical equipment or 
the coding system or the racks, and we could go on and on. But 
nevertheless, I will follow up on it.
    The other question that I have, you heard from a 
representative of Cisco, and she referred to it as market 
uncertainty. And yet in your testimony--and I think the only 
way we ever get to market certainty, not uncertainty, is 
probably through government sponsorship, stewardship. And so I 
know you have had this discussion with the Chairman, and I know 
Mr. Deal made reference to it. Mr. Deal indicated that we 
shouldn't be legislating this.
    My understanding is what we are setting up is a regulatory 
scheme where we actually authorize a governmental entity or 
agency to study, promulgate rules and so on. It is not 
necessarily set in stone. It is my understanding, I could be 
wrong, that we are setting some sort of legislative definition, 
qualifications, requirements and standards. I don't think we 
are doing that, so I don't think we are really legislating 
that.
    What we are doing is creating a regulatory scheme which 
works very well, and I think the only way we probably will 
provide that type of certainty that the doctors are out there 
calling for before they make this kind of substantial 
investment. Wouldn't you agree that that is a sound way of 
approaching what Ms. Dare characterized as the market 
uncertainty aspect of it?
    Dr. Clancy. Well, if I think about physicians in Texas, I 
would guess that many of them are contracting with multiple 
insurers. That is how the market works in most places, and, in 
fact, what is driving a lot of physicians, particularly those 
in small practices, a little bit crazy is the burden of having 
multiple different requirements for multiple private insurers 
and CMS.
    So ultimately to make progress, I think there has to be an 
alignment of policy interests and objectives between the public 
and the private sectors, which means that, in essence, what you 
need is an entity that promotes a sustainable public/private 
partnership. So if I am in Texas, I am an internist and I am in 
internal medicine, and I see, say, a third of my patients are 
on Medicare, and then two-thirds are accounted for by 8 to 10 
private insurers. If they all have different reporting 
requirements or different aspects of care that they want me to 
report on: A, I am probably going to go crazy; B, that doesn't 
help with my decision about should I buy an electronic health 
record. If they are asking for common reports about quality of 
care and have a common approach to incentivizing the adoption 
of electronic health records, I think that really begins to set 
the stage.
    The key to getting that kind of agreement is having an 
entity that supports that sort of public-private alignment.
    Mr. Gonzalez. I think this bill would accomplish that in 
the scheme that we envision, and that some philosophically or 
for their own ideologies fear that the government is setting 
standards and requirements which the government has to. It is 
going to have private involvement, no doubt. I tell you that 
now.
    From the private insurance--and I don't know that we are 
discussing two different things. If we are talking about what 
we are going to be adopting in the way of systems, what their 
capabilities are to make sure that they talk to one another, 
that we have this interoperability, that is one thing. Now, an 
insurance company may have their own quirks and such, and they 
do it for their own reasons. And they are only going to adopt 
that which HHS or CMS has when it is to their advantage, such 
as a physician compensation standard and such, but they surely 
aren't on prompt pay. They surely are not on uniformity of 
claims and such, and hopefully we will address that in the 
future because I think they really do game the system to their 
advantage.
    But I am not talking about all that. I am just saying what 
does the equipment look like? What should be its capabilities? 
What should be the standards? What should be the minimums so 
that when doctors make this investment, they know that, looking 
forward, they are going to have to maintain it? It is going to 
cost money, as Dr. Stack indicated, but they know it is not 
going to be obsolete. We have many doctors who have had bad 
experiences and are really----
    Dr. Clancy. Oh, yes.
    Mr. Gonzalez. I applaud HHS, CMS and Governor Leavitt for 
their work. But so much more needs to be done, and I would hope 
that you would embrace this particular concept. We have a lot 
of legislation out there. This one is probably going to be the 
most viable and gets us started. We are way, way behind, and 
this does impact the quality of care for all the patients 
throughout this country.
    Thank you very much, Mr. Chairman.
    Mr. Pallone. Thank you, and thank you, Dr. Clancy.
    We didn't hear from Ms. McAndrew, but thank you for being 
here with us.
    I think I mentioned before, and I will remind the Members, 
that within 10 days, if they have questions in writing, we are 
supposed to submit them to you. So if we have some of those, 
the clerk will notify you within the next 10 days.
     But again, thank you, and we started out saying this is a 
discussion draft, and obviously we want to take your input and 
that of the other witnesses as we proceed over the next few 
weeks. We would like to do a bill this session, obviously, but 
we are going consider to continue to take comments, if you 
will.
    Dr. Clancy. I know straight from him that Secretary Leavitt 
very much looks forward to working with you on that, so thank 
you for having us.
    Mr. Pallone. Thank you again, and without objection, this 
meeting of the subcommittee is adjourned.
    [Whereupon, at 1:20 p.m., the subcommittee was adjourned.]
    [Material submitted for inclusion in the record follows:]

                    Statement of Hon. Diana DeGette

    Thank you Mr. Chairman. A number of my colleagues, the 
Oversight & Investigations Subcommittee, and I took a trip last 
year to New Orleans to conduct a field hearing on the hospital 
infrastructure of the city in the aftermath of Hurricane 
Katrina. Some of the hospitals there were in literal ruins, and 
thousands and thousands of individual medical records were 
ruined. In many cases, those files contained the entire medical 
history of many of the city's residents and represented 
millions of dollars of tests, diagnosis, and treatment.
    At the same time, as soon as power to the city and 
telecommunications was restored, some pharmacies were able to 
bring up prescription records with ease. With a nationwide 
database, customers had access to critical information about 
their personal health, both in New Orleans and in the cities to 
which they had relocated. We need to have a system of health 
information that makes this specific experience with Hurricane 
Katrina the norm, not the experience faced by the patients of 
Charity Hospital and other health care providers.
    That trip reinforced my conviction that health information 
technology is an absolutely vital piece of the health care 
puzzle and a direction we need to move in with greater haste.
    Mr. Chairman, I sincerely believe that adoption of health 
information technology, particularly electronic health records 
(EHRs), will have a profound impact on our health care system. 
Using electronic prescribing, these problems will be eliminated 
as pharmacists will clearly see the prescription and be able to 
cross reference that with the patient's EHR to identify 
possible drug interaction problems. Billing will also be 
drastically improved as standardized forms make it easier for 
claims to be processed by Medicare, Medicaid, and private 
payers.
    And in fact we've already seen tremendous progress with 
electronic health records in many regards, for example the 
Veterans Affairs system.
    Now, having said all that, we must not fool ourselves into 
thinking that health information technology, in and of itself 
is a panacea for all the problems of our health care system. 
Moving to a more electronically-based system brings its own set 
of challenges, primary among them, the issue of privacy. And 
privacy is a big issue indeed.
    The Federal Government's record on safeguarding the privacy 
of sensitive personal information is marred by troubling 
lapses. In 2006, for example, personal information on 26 
million veterans, including their Social Security numbers and 
birth dates, was stolen from the home of a Department of 
Veterans Affairs. The employee had taken the data home without 
authorization.
    In another troubling incident, a laptop computer containing 
medical records of 2,500 patients enrolled in a National 
Institutes of Health study was stolen from the trunk of a 
researcher's car. The patients' records were not encrypted, in 
violation of federal security policies. NIH waited nearly a 
month before sending letters to notify the patients.
    A viable health IT system must include safeguards to 
protect patients from privacy breaches like these.
    Having been a member of this committee for almost 12 years 
now, I can remember the many debates on privacy we have had in 
the context of other issues, such as financial services. Ah, 
the good old days when those issues were under our 
jurisdiction. We had some very productive debates about privacy 
when we worked on financial services reform, electronic 
signatures etc., and much of what we debated and learned during 
those hearings are relevant today as we discuss privacy in the 
health care realm.
    However, I also want to draw attention to the benefits that 
can come from strengthening of our Nations' health IT systems. 
Denver Health and Hospital System, in my district, has a 
revolutionary health IT system that allows for interoperability 
and access at numerous providers across the city. Although 
their system is still in its early stages, with many components 
that still need to be added, it has drastically improved the 
health of many Denver residents. Currently, patient records are 
scanned and electronically available to all providers at the 
main public hospital emergency room, at the many community 
health centers across the entire city, at the school health 
centers located within the schools, as well as at other 
providers with the Denver Health and Hospital System.
    So, if a child goes to the emergency room late one night 
and then presents at the school health clinic or a even a 
community health center, the doctors and nurses instantly have 
knowledge about previous visits to the ER, any tests that were 
done, medicine that was given, etc., even if the child neglects 
to tell the doctors about those visits. This saves tremendous 
amounts of money on duplicate tests and improperly managed 
conditions. It also leads to greatly improved health outcomes 
through coordinated care and better management of chronic 
health conditions.
    Although it is not yet a fully interoperable electronic 
health record (EHR), I think the Denver Health system shows us 
the potential benefits that can come of health IT and why it is 
so important that we pursue a coordinated, interoperable health 
IT system with nationwide standards and adequate privacy 
protections.
                              ----------                              
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